Bug 29049
| Summary: | <Remote authentication using PAM is overriden by OpenSSH> | ||
|---|---|---|---|
| Product: | Base System | Reporter: | joe <joe> |
| Component: | bin | Assignee: | Brian Feldman <green> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | 2.2.8-STABLE | ||
| Hardware: | Any | ||
| OS: | Any | ||
Responsible Changed From-To: gnats-admin->freebsd-bugs misfiled Responsible Changed From-To: freebsd-bugs->green Over to green, since this is allegedly a problem with our local mods to the code. State Changed From-To: open->closed Should not persist any longer. |
A General problem with remote authentication where OpenSSH does local UID checking before it passes authentication control to PAM modules that authenticate users on remote authentication services like TACACS+ or Radius. Using functions like getpwnam simply override and duplicate PAM authentication schemes which may or may not issue the same problem. These schemes with Radius or TACACS+ will both work when the username exists on the local Unix system authentication as found in the /etc/passwd and /etc/shadowfiles. It is understood that OpenSSH has its own use for defining rules for local users and may need to check for there existence outside of using PAM. It would be nice to allow users of PAM to control the entire authentication scheme using PAM rules versus letting the application like OpenSSH define its own scheme which happens to override PAM before it attempts to pass control on to PAM modules. Fix: Place PAM module checking first before local authentication verification. auth2.c:189 189 if (authctxt->attempt++ == 0) { 190 /* setup auth context */ 191 struct passwd *pw = NULL; 192 pw = getpwnam(user); 193 if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) { 194 authctxt->pw = pwcopy(pw); 195 authctxt->valid = 1; 196 debug2("input_userauth_request: setting up authctxt for %s", user); 197 #ifdef USE_PAM 198 start_pam(pw->pw_name); This area might be modified to try to do PAM authentication somewhere else first and then implement this area of code? It appears to be a non-trivial code change since this initialization using the struct authctxt is done in many places first before doing start_pam. How-To-Repeat: Using FreeRadius Server and PAM Module you can repeat the problem by configuringa user on the Radius Server that does not have a Unix account on the Client system. I can point to specific code to illustrate this scenario if desired.