Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 29 Apr 2004 17:08:12 -0400 (EDT)
From:      Dan Mahoney <danm@prime.gushi.org>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   bin/66095: template_user is broken in pam_radius
Message-ID:  <200404292108.i3TL8CdV099025@s2.ezzi.net>
Resent-Message-ID: <200404292110.i3TLA6gl093421@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         66095
>Category:       bin
>Synopsis:       template_user is broken in pam_radius
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 29 14:10:05 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Dan Mahoney
>Release:        FreeBSD 4.6.2-RELEASE-p27 i386
>Organization:
>Environment:
System: FreeBSD s2.ezzi.net 4.6.2-RELEASE-p27 FreeBSD 4.6.2-RELEASE-p27 #0: Tue Apr 6 08:52:46 EDT 2004 danm@s2.ezzi.net:/usr/obj/usr/src/sys/GENERIC i386


	
>Description:

The pam_radius module's man page purports to be able to support a "template user", i.e. when a user not listed in the local
system attempts to authenticate when pam_radius is in effect, instead, the login credentials for "template_user" will be
presented.

FreeBSD seems to authorize against radius correctly when a local user exists, but when a non-local user tries to authenticate,
the request is NOT EVEN FORWARDED to the radius server.  Auth simply fails.

>How-To-Repeat:

/etc/radius.conf: 

auth    65.125.237.37   testing123
acct    65.125.237.37   testing123

/etc/pam.conf:

sshd    auth    sufficient      pam_skey.so
sshd    auth    sufficient      pam_opie.so                     no_fake_prompts
#sshd   auth    requisite       pam_opieaccess.so
#sshd   auth    sufficient      pam_kerberosIV.so               try_first_pass
#sshd   auth    sufficient      pam_krb5.so                     try_first_pass
sshd    auth    sufficient      pam_radius.so                   try_first_pass template_user=danm
sshd    auth    required        pam_unix.so                     try_first_pass
sshd    account sufficient      pam_radius.so                   try_first_pass template_user=danm
sshd    account required        pam_unix.so
sshd    password required       pam_permit.so
sshd    session required        pam_permit.so

try to log in as a user who is present on the radius server but not present on the local system.

>Fix:

None known.


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404292108.i3TL8CdV099025>