PAM order (ssh login)

Nathan Ward lists+freeradius at daork.net
Sun Oct 2 02:38:21 CEST 2016


Hi,

This is not a RADIUS question, it is a PAM question, so start here: http://www.linux-pam.org
I have some notes below, though this is really a matter for a PAM list, so further discussion should probably be continued elsewhere.

Before changing PAM configuration, you should understand how it works, and what your existing configuration is doing. Getting PAM wrong is - obviously - very bad.

It is difficult to understand what you want to achieve here. Do you want local authentication to mean RADIUS isn’t consulted? I imagine that to be the case, but it is not explicit from your message. If that is the case, then I believe that the problem you are having is because success=1 makes PAM jump over the pam_deny.so when pam_unix.so returns success, and continue through the other modules, including to the pam_radius_auth.so module.

Perhaps you could increase this to 2, and insert pam_radius_auth.so below it with a success=1. I don’t know if that will work well in your environment, however, so please do not attempt this until you understand *in detail* exactly what you are doing.

One also wonders why you are sshing to a server with a root password..

--
Nathan Ward

> On 2/10/2016, at 03:14, Janis Heller <janis.heller at outlook.de> wrote:
> 
> I use pam_radius to protect my servers.
> Using the sshd file in /etc/pam.d with this config:
> 
> # Standard Un*x authentication.
> @include common-auth
> 
> auth sufficient pam_radius_auth.so client_id=server22
> 
> 
> My common-auth(/etc/pam.d/common-auth) looks like this:
> 
> auth	sufficient                      pam_script.so 
> auth	[success=1 default=ignore]	pam_unix.so nullok_secure try_first_pass
> auth	requisite			pam_deny.so
> auth	required			pam_permit.so
> auth	optional			pam_cap.so 
> 
> Now when I try to login using for example root account the password is sent to radius too (but system seems to ignore the radius answer).
> I already tried to change the order, I would like to modify PAM in a way, all the default (local) PAM checks are runned before a check is made to radius. Where’s my fault?
> I think checking each login request first local will speed up the server performance.
> 
> All the best;
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list