Hello list,

I've searched and googled quite a bit for a solution to this, but didn't find 
any. I can't get PAM_RADIUS working with
a TEMPLATE_USER for remote logins with SSHD. If I overlooked anything, any 
hints will be highly appreciated.

The situation is as follows:

A radius authorization backend system, server A, has user ALICE, with a 
password, and user BOB, with a password.
Another server, server B, is using PAM_RADIUS for radius authentication on SSHD 
for remote logins. While attempting to
figure out how pam_radius works on server B, pam (/etc/pam.d/sshd) is 
configured like this:

auth            sufficient      pam_radius.so           try_first_pass 
template_user=bob debug
account         sufficient      pam_radius.so           template_user=bob debug
password        sufficient      pam_radius.so           try_first_pass 
template_user=bob debug

On server B, Bob has a plain vanilla Unix account in /etc/passwd, with an 
existing shell and homedirectory. When using
the pam config shown above, Bob is asked for his radius password from server A 
(as expected) when he tries to login
with ssh. This works perfectly Ok for Bob: Radius authentication is working on 
server B when using ssh to login - in
this case regardless of his password. So far so good.

Since Bob has special privileges on server B, his account will be the template 
for a small group of other users,
effectively sharing the bob-account - not Bobs' password - with others. 
Template_user should provide for this, from
the pam_radius man-page:

                 specifies a user whose passwd(5) entry will be used as a tem- 
plate to create the session environment
if the supplied user- name does not exist in local password database.  The user 
will be authenticated with the
supplied username and pass- word, but his credentials to the system will be 
presented as the ones for username, i.e.,
his login class, home directory, resource limits, etc. will be set to ones 
defined for username.

                 If this option is omitted, and there is no username in the 
system databases equal to the supplied one
(as determined by call to getpwnam(3)), the authentication will fail.

As pam is configured with 'template_user=bob', it would be expected that user 
'alice' - an account that doesn't exist
on server B in /etc/passwd - should be able to login with ssh since Bob can 
login... Oddly enough, logging in ONLY
works for user 'alice' when the account exists in /etc/passwd on server B. 
Which would still require all the accounts
being present on server B, and thus defeating the purpose of a template_user. 
It seems that template_user has no
effect, no matter which password (alice/bob) is used. Sshd is actually 
complaining about pam: "fatal: Internal error:
PAM auth succeeded when it should have failed".

>From what I've googled it seems that this topic is returning every now and 
>then, without any clear solution. Some do
indeed point to OpenSSH
 I haven't
tested this with telnetd or others. To put it another way: I've found no 
document that explains why a pam_radius
template_user shouldn't work with sshd.

Can this be done at all? Am I overlooking anything? Should I send-pr this? Or 
am I totally misreading the man-page?
Any help is much appreciated.



freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to