Summary: | [pam] template_user is broken in pam_radius | ||
---|---|---|---|
Product: | Base System | Reporter: | Dan Mahoney <danm> |
Component: | bin | Assignee: | freebsd-bugs (Nobody) <bugs> |
Status: | Closed Not Accepted | ||
Severity: | Affects Only Me | CC: | des, jaccovb, wynkoop |
Priority: | Normal | ||
Version: | 4.6.2-RELEASE | ||
Hardware: | Any | ||
OS: | Any |
Description
Dan Mahoney
2004-04-29 22:10:05 UTC
Any hope for a patch re: template_user and pam_radius? Running 6.0-RC1 and template_user doesn't seem to work. Any workaround? Thanks, Tate Tue, 1 Nov 2005 16:43:20 -0500 (EST)n Tue, 1 Nov 2005, C. Tate Baumrucker wrote: I wouldn't hold your breath. Personally, this little bug shot to hell any hope of using radius for central auth on all our systems (because radius is a great common denominator, even windows can speak it!) At the very least, the notation about the function should be removed. I'd fix it, but I do not speak C and have no IDEA where to even go about trying to run a truss on something as crucial as PAM. -Dan -- "Happy, Sad, Happy, Sad, Happy, Sad, Happy, Intruiged! I've never been so in touch with my emotions!" -AndrAIa as Hexadecimal, Reboot Episode 3.2.3 --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- State Changed From-To: open->closed This is actually a configuration error. At the point where pam_radius submits an authentication request to the server, it doesn't know (or care) whether the user exists in the local user database. It doesn't make that check until after the user has been authenticated by the radius server. The only explanation for this is that the originator had something in their PAM configuratin that rejected the authentication attempt before it ever reached pam_radius. This could easily have been verified by enabling debugging with the "debug" keyword in the appropriate PAM stack. The problem I have with this explanation is that when pam_radius is configured with the template_user pam sends an invalid password hash to my radius server, causing my radius server to reject the auth. When I create a local user account and remove template_user, it works as expected. Further to this, I have inserted some debug output into pam_radius.so.5 to output the password to syslog from the build_access_request. When I have a local user account matching the login I am using it works correctly and logs me in and syslog shows my password as expected: Aug 11 17:09:22 ssi-knta-pd1 sshd[5464]: rad_mb_debug: MySecret When I remove the local user account pam_radius uses the incorrect password when generating the password hash for the radius packet. Aug 11 17:09:48 ssi-knta-pd1 sshd[5473]: rad_mb_debug: ^H ^M^?INCORRECT The problem is that OpenSSH checks whether the user exists before attempting authentication. Moreover, the OpenSSH developers consider this functionality a security liability and have intentionally removed it from their code (see https://blog.des.no/2015/08/openssh-pam-and-user-names/). Therefore, we will not fix this. *** Bug 169670 has been marked as a duplicate of this bug. *** *** Bug 124320 has been marked as a duplicate of this bug. *** |