From owner-freebsd-questions@FreeBSD.ORG Sat May 17 09:52:10 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 226D0106566C for ; Sat, 17 May 2008 09:52:10 +0000 (UTC) (envelope-from jaccovb@xs4all.nl) Received: from smtp-vbr2.xs4all.nl (smtp-vbr2.xs4all.nl [194.109.24.22]) by mx1.freebsd.org (Postfix) with ESMTP id A983B8FC33 for ; Sat, 17 May 2008 09:52:09 +0000 (UTC) (envelope-from jaccovb@xs4all.nl) Received: from webmail.xs4all.nl (dovemail11.xs4all.nl [194.109.26.13]) by smtp-vbr2.xs4all.nl (8.13.8/8.13.8) with ESMTP id m4H9fjfX069915; Sat, 17 May 2008 11:41:45 +0200 (CEST) (envelope-from jaccovb@xs4all.nl) Received: from 213.84.214.79 (SquirrelMail authenticated user jsvb) by webmail.xs4all.nl with HTTP; Sat, 17 May 2008 11:41:45 +0200 (CEST) Message-ID: <7709.213.84.214.79.1211017305.squirrel@webmail.xs4all.nl> Date: Sat, 17 May 2008 11:41:45 +0200 (CEST) From: "Jacco van Buuren" To: freebsd-questions@freebsd.org User-Agent: SquirrelMail/1.4.11 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: by XS4ALL Virus Scanner Subject: Login with ssh using pam_radius and a template_user X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jaccovb@xs4all.nl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 May 2008 09:52:10 -0000 Hello list, I've searched and googled quite a bit for a solution to this, but didn't find any. I can't get PAM_RADIUS working with a TEMPLATE_USER for remote logins with SSHD. If I overlooked anything, any hints will be highly appreciated. The situation is as follows: A radius authorization backend system, server A, has user ALICE, with a password, and user BOB, with a password. Another server, server B, is using PAM_RADIUS for radius authentication on SSHD for remote logins. While attempting to figure out how pam_radius works on server B, pam (/etc/pam.d/sshd) is configured like this: auth sufficient pam_radius.so try_first_pass template_user=bob debug account sufficient pam_radius.so template_user=bob debug password sufficient pam_radius.so try_first_pass template_user=bob debug On server B, Bob has a plain vanilla Unix account in /etc/passwd, with an existing shell and homedirectory. When using the pam config shown above, Bob is asked for his radius password from server A (as expected) when he tries to login with ssh. This works perfectly Ok for Bob: Radius authentication is working on server B when using ssh to login - in this case regardless of his password. So far so good. Since Bob has special privileges on server B, his account will be the template for a small group of other users, effectively sharing the bob-account - not Bobs' password - with others. Template_user should provide for this, from the pam_radius man-page: template_user=username specifies a user whose passwd(5) entry will be used as a tem- plate to create the session environment if the supplied user- name does not exist in local password database. The user will be authenticated with the supplied username and pass- word, but his credentials to the system will be presented as the ones for username, i.e., his login class, home directory, resource limits, etc. will be set to ones defined for username. If this option is omitted, and there is no username in the system databases equal to the supplied one (as determined by call to getpwnam(3)), the authentication will fail. As pam is configured with 'template_user=bob', it would be expected that user 'alice' - an account that doesn't exist on server B in /etc/passwd - should be able to login with ssh since Bob can login... Oddly enough, logging in ONLY works for user 'alice' when the account exists in /etc/passwd on server B. Which would still require all the accounts being present on server B, and thus defeating the purpose of a template_user. It seems that template_user has no effect, no matter which password (alice/bob) is used. Sshd is actually complaining about pam: "fatal: Internal error: PAM auth succeeded when it should have failed". >From what I've googled it seems that this topic is returning every now and then, without any clear solution. Some do indeed point to OpenSSH (http://www.usenet-forums.com/openssh-development/336942-sshd-pam_radius-under-freebsd.html#post706102). I haven't tested this with telnetd or others. To put it another way: I've found no document that explains why a pam_radius template_user shouldn't work with sshd. Can this be done at all? Am I overlooking anything? Should I send-pr this? Or am I totally misreading the man-page? Any help is much appreciated. Thanks! Jacco