pam_auth_radius - fallback with localifdown?
Hello, First off - if you think this doesnt belong here, just don't reply instead of being caustic. I'm asking only because it both concerns pam and the pam_radius_auth module (especially the localifdown option). And I think it could be of interest to others. I'll be asking the pam-linux crowd too.. I'm trying to setup PAM auth with pam_radius_auth to use the Radius server's answer as final, unless there's no answer at all. This is what I tried under linux: ----8<-----/etc/pam.d/sshd----------- auth required /lib/security/$ISA/pam_env.so auth [success=done new_authtok_reqd=done ignore=ignore default=die] pam_radius_auth.so localifdown debug auth sufficient /lib/security/$ISA/pam_unix.so debug audit likeauth nullok auth required /lib/security/$ISA/pam_deny.so auth required pam_nologin.so ----8<---------------------------------------- My thinking was as follow: - If we get a success, we're done. Permit entry, but don't continue down the stack to prevent local auth via pam_unix - If we get a failure, we're done, too. Deny entry, and don't continue down the stack since it serves no purpose. (I don't want to get down to pam_unix: don't want an extra prompt, passwords could be different, etc. If the radius server is up, its the only authority I want.) Both these conditions should be covered with "done" and "die" in the extended flags. What I'm next interested in is if we don't have an answer from the radius server, via "localifdown" we should make the module return PAM_IGNORE. Thus having ignore=ignore in the extended flag. Thing is, it doesn't work... If I mess up /etc/raddb/server to change the key, the host entry or whatever to make sure I can't reach the radius server, I don't seem to be going down the stack.. I just get denied access and have no trace at all in the logs. I do not think pam_radius_auth is behaving wrongly - looking at the code is simple enough, I do get "All RADIUS servers failed to respond" in the SYSLOG, so it should clearly be returning PAM_IGNORE as documented. I'm wondering if anybody has tried such a setup ? Pointers and constructive comments appreciated. Martin Richard
Martin Richard wrote:
First off - if you think this doesnt belong here, just don't reply instead of being caustic.
There is no need to start a message off with that.
Thing is, it doesn't work... If I mess up /etc/raddb/server to change the key, the host entry or whatever to make sure I can't reach the radius server, I don't seem to be going down the stack.. I just get denied access and have no trace at all in the logs.
I do not think pam_radius_auth is behaving wrongly - looking at the code is simple enough, I do get "All RADIUS servers failed to respond" in the SYSLOG, so it should clearly be returning PAM_IGNORE as documented.
Double-check that it's returning PAM_IGNORE. Maybe source code mods to syslog "RETURNING PAM_IGNORE". If it is returning PAM_IGNORE, then it's a PAM problem. Ask the question again on the PAM list. Alan DeKok.
On Wed, Jun 23, 2010 at 4:13 AM, Alan DeKok <aland@deployingradius.com>wrote:
I do not think pam_radius_auth is behaving wrongly - looking at the code is simple enough, I do get "All RADIUS servers failed to respond" in the SYSLOG, so it should clearly be returning PAM_IGNORE as documented.
Double-check that it's returning PAM_IGNORE. Maybe source code mods to syslog "RETURNING PAM_IGNORE".
If it is returning PAM_IGNORE, then it's a PAM problem. Ask the question again on the PAM list.
I've added logging at the end of talk_radius() to confirm that it was returning PAM_IGNORE, and it was indeed the case. I posted to the pam list, where someone suggested I used pam_debug to see how the stack reacted to PAM_IGNORE: ------8<------- auth required pam_debug.so auth=ignore auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so debug audit likeauth nullok auth required /lib/security/$ISA/pam_deny.so auth required pam_nologin.so ------8<------- I can indeed login with the local auth via pam_unix in this case, so I'm back at looking at the module's code.. I know talk_radius() is returning PAM_IGNORE, here's the very last part of the function with my mod: ------8<------- if (!server) { _pam_log(LOG_ERR, "All RADIUS servers failed to respond."); if (conf->localifdown) { _pam_log(LOG_ERR, "Retval = PAM_IGNORE"); retval = PAM_IGNORE; } else retval = PAM_AUTHINFO_UNAVAIL; } else { retval = PAM_SUCCESS; } return retval; } ------8<------- I'll have a look at the rest of the flow, see if it could have been overriden elsewhere after that call.. I've never coded a pam module, am I correct to guess that since I'm calling the module with an auth call from the stack I should be looking at pam_sm_authenticate() ? Martin
On Wed, Jun 23, 2010 at 4:13 AM, Alan DeKok <aland@deployingradius.com>wrote:
Double-check that it's returning PAM_IGNORE. Maybe source code mods to syslog "RETURNING PAM_IGNORE".
If it is returning PAM_IGNORE, then it's a PAM problem. Ask the question again on the PAM list.
Found my problem. The pam_sm_authenticate() does return PAM_IGNORE with localifdown, as expected. Added a lot of logging including the final return value (PAM_IGNORE / 25). I had also tested that the stack was dealing with the ignore properly by using pam_debug.so. So my stack for 'auth' as originally posted works as expected, so I'm quite happy with the fallback setup. What was failing pseudo silently was the call to pam_sm_open_session() (or rather pam_private_session()). I only had this single module listed in the pam conf file, and since nothing was logged, I didn't catch on the fact that my login failures were coming from the 'session' part. Since no success was returned and it was my only line for PAM, it failed and I couldn't logon if the radius servers were unreachable. Time permitting I might submit a patch to add some logging to pam_private_session, if there would be interest from the dev team ? Thanks a lot for the infos and replies. Martin
participants (2)
-
Alan DeKok -
Martin Richard