<div> </div>
<div> I'm running pam_radius 1.3.16 on Solaris 10 using a Cisco ACS backend that authenticates to an MS AD server.</div>
<div>I'm running into an issue where a user will fail a single login attempt (one username/password challenge with a bad password) and the ACS will record 3 attempts from the client (the Solaris 10 server). after a single attempt (or a valid login with a local password) the 3 fails bollixes up the AD login attempts and locks the user out. Am I missing a compile option to only attempt a single RADIUS login per authentication or do I possible have
pam.conf misconfigured. I use sshd-kbdint and sshd-password with the same results. Otherwise the system works well. </div>
<div> </div>
<div>
<p># pam_radius_auth configuration file. Copy to: /etc/raddb/server<br>#<br># For proper security, this file SHOULD have permissions 0600,<br># that is readable by root, and NO ONE else. If anyone other than<br># root can read this file, then they can spoof responses from the server!
<br>#<br># There are 3 fields per line in this file. There may be multiple<br># lines. Blank lines or lines beginning with '#' are treated as<br># comments, and are ignored. The fields are:<br>#<br># server[:port] secret [timeout]
<br>#<br># the port name or number is optional. The default port name is<br># "radius", and is looked up from /etc/services The timeout field is<br># optional. The default timeout is 3 seconds.<br>#<br># If multiple RADIUS server lines exist, they are tried in order. The
<br># first server to return success or failure causes the module to return<br># success or failure. Only if a server fails to response is it skipped,<br># and the next server in turn is used.<br>#<br># The timeout field controls how many seconds the module waits before
<br># deciding that the server has failed to respond.<br>#<br># server[:port] shared_secret timeout (s)<br>#127.0.0.1 secret 1<br>#other-server other-secret 3<br>localhost secret 3<br>
<a href="http://10.0.0.10:2048">10.0.0.10:2048</a> XXXXXXXX 3</p>
<p>#<br># having localhost in your radius configuration is a Good Thing.<br>#<br># See the INSTALL file for pam.conf hints.</p></div>
<div> </div>
<div> </div>
<div>bash-3.00# cat /etc/pam.conf<br>#<br>#ident "@(#)pam.conf 1.28 04/04/21 SMI"<br>#<br># Copyright 2004 Sun Microsystems, Inc. All rights reserved.<br># Use is subject to license terms.<br>#<br># PAM configuration
<br>#<br># Unless explicitly defined, all services use the modules<br># defined in the "other" section.<br>#<br># Modules are defined with relative pathnames, i.e., they are<br># relative to /usr/lib/security/$ISA. Absolute path names, as
<br># present in this file in previous releases are still acceptable.<br>#<br># Authentication management<br>#<br># login service (explicit because of pam_dial_auth)<br>#<br>login auth sufficient /usr/lib/security/pam_radius_auth.so.1 debug
<br>login auth requisite pam_authtok_get.so.1<br>login auth required pam_dhkeys.so.1<br>login auth required pam_unix_cred.so.1<br>login auth required pam_unix_auth.so.1<br>login auth required pam_dial_auth.so.1
<br>#<br>telnet auth sufficient /usr/lib/security/pam_radius_auth.so.1 debug<br>#telnet auth required /usr/lib/security/pam_unix.so.1<br>#<br># rlogin service (explicit because of pam_rhost_auth)<br>#<br>
rlogin auth sufficient pam_rhosts_auth.so.1<br>rlogin auth requisite pam_authtok_get.so.1<br>rlogin auth required pam_dhkeys.so.1<br>rlogin auth required pam_unix_cred.so.1<br>rlogin auth required pam_unix_auth.so.1
<br>#<br># Kerberized rlogin service<br>#<br>krlogin auth required pam_unix_cred.so.1<br>krlogin auth binding pam_krb5.so.1<br>krlogin auth required pam_unix_auth.so.1<br>#<br># rsh service (explicit because of pam_rhost_auth,
<br># and pam_unix_auth for meaningful pam_setcred)<br>#<br>rsh auth sufficient pam_rhosts_auth.so.1<br>rsh auth required pam_unix_cred.so.1<br>#<br># Kerberized rsh service<br>#<br>krsh auth required pam_unix_cred.so.1
<br>krsh auth binding pam_krb5.so.1<br>krsh auth required pam_unix_auth.so.1<br>#<br># Kerberized telnet service<br>#<br>ktelnet auth required pam_unix_cred.so.1<br>ktelnet auth binding pam_krb5.so.1
<br>ktelnet auth required pam_unix_auth.so.1<br>#<br># PPP service (explicit because of pam_dial_auth)<br>#<br>ppp auth requisite pam_authtok_get.so.1<br>ppp auth required pam_dhkeys.so.1
<br>ppp auth required pam_unix_cred.so.1<br>ppp auth required pam_unix_auth.so.1<br>ppp auth required pam_dial_auth.so.1<br>#<br># Default definitions for Authentication management
<br># Used when service name is not explicitly mentioned for authentication<br>#<br>other auth requisite pam_authtok_get.so.1<br>other auth required pam_dhkeys.so.1<br>other auth required pam_unix_cred.so.1
<br>other auth required pam_unix_auth.so.1<br>#<br># passwd command (explicit because of a different authentication module)<br>#<br>passwd auth required pam_passwd_auth.so.1<br>#<br># cron service (explicit because of non-usage of pam_roles.so.1)
<br>#<br>cron account required pam_unix_account.so.1<br>#<br># Default definition for Account management<br># Used when service name is not explicitly mentioned for account management<br>#<br>other account requisite pam_roles.so.1
<br>other account required pam_unix_account.so.1<br>#<br># Default definition for Session management<br># Used when service name is not explicitly mentioned for session management<br>#<br>other session required pam_unix_session.so.1
<br>#<br># Default definition for Password management<br># Used when service name is not explicitly mentioned for password management<br>#<br>other password required pam_dhkeys.so.1<br>other password requisite pam_authtok_get.so.1
<br>other password requisite pam_authtok_check.so.1<br>other password required pam_authtok_store.so.1<br>#<br># Support for Kerberos V5 authentication and example configurations can<br># be found in the pam_krb5(5) man page under the "EXAMPLES" section.
<br>#<br># sshd access<br># either local or radius login will work<br>sshd-kbdint auth requisite pam_authtok_get.so.1<br>sshd-kbdint auth required pam_dhkeys.so.1<br>sshd-kbdint auth required pam_unix_cred.so.1
<br>sshd-kbdint auth required pam_unix_auth.so.1<br>sshd-kbdint auth required pam_dial_auth.so.1<br>sshd-kbdint auth sufficient pam_radius_auth.so.1 debug</div>