Re: pam_radius fail open?
"Sean P. Malone" <smalone@udallas.edu> writes:
> I recently installed pam_radius according to the instructions located
> at the following address:
>
> https://www.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/PamRadius?shin=3D=
print.patern
why? 5.3 ships with pam_radius(8).
> However, I'm not sure if I've mistakenly stumbled onto a fail open
> situation in that I'm fairly new to FreeBSD. Namely, while
> configuring /etc/pam.conf to validate SSH login credentials via radius
> against our existing Active Directory, I mistakenly typed the line for
> ssh as follows: [...]
I am surprised that editing /etc/pam.conf had any effect at all, since
/etc/pam.d/sshd takes precedence. Are you running a clean 5.3
install, or did you upgrade from 4.x?
And yes, PAM does fail open when no configuration exists. You can
easily change that by creating /etc/pam.d/default with the following
contents:
auth required pam_deny.so
account required pam_deny.so
session required pam_deny.so
password requires pam_deny.so
or slightly less easily by adding the appropriate check around line
100 of src/contrib/openpam/lib/openpam_dispatch.c, like NetBSD did:
if (chain =3D=3D NULL)
RETURNC(PAM_SYSTEM_ERR);
DES
--=20
Dag-Erling Sm=F8rgrav - des@des.no
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)