Re: pam_radius fail open?
On 8/19/05, Sean P. Malone <smalone@udallas.edu> wrote:
> $ cat /etc/pam.conf
> #
> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
> #
> # PAM configuration for the "sshd" service
> #
>=20
> # auth
>=20
> #sshd auth required pam_radius.so -update -/usr/local/etc/radius
> #auth required pam_nologin.so no_warn
> Basically, it's an empty file as far as pam_radius knows.
>=20
I think you incorrectly configured your system, you should have edited
the /etc/pam.d/sshd file and added the pam_radius in there as:
auth required pam_radius.so -update -/usr/local/etc/radius
When you created the /etc/pam.conf file, you told PAM to not look in
the /etc/pam.d directory for config info for any of the services
listed in /etc/pam.d. This caused it to not know how to authenticate
any logins, which resulted in it allowing all logins.
I believe this is also why you were able to log into your system with just =
a:
ssh auth required pam_radius.so -update -/usr/local/etc/radius
in your /etc/pam.conf, as there was no entry for sshd in pam.conf.
Scot
--=20
DISCLAIMER:
No electrons were mamed while sending this message. Only slightly bruised.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)