Re: Authentication method fallback not working
On 27/08/09 13:44, Schvberle Daniel wrote: Hi, I'm using OpenBSD 4.5-stable, and I'm trying to configure RADIUS authentication. What I want is for the system to try the RADIUS server, and if it fails, fall back to the local password file. In login.conf I have auth-defaults:auth=radius,passwd:radius-server=my.radius.server If the RADIUS server isn't there for whatever reason, the system doesn't fallback to password file authentication. The same happens if I specify the methods the other way round: the RADIUS server is never tried even if the password-file-based login fails. I need to make sure that I can always log in even if the RADIUS server has gone away. Is it possible to configure the system in this way? Thanks - Ian Why not make a new login class for radius users and make yourself backup users in default class? Normally you'd login with users from the radius class and if that fails you'd use a user form the default class. Of course, that way you'd have to use different login names for the two classes. That's a good workaround, thanks. Do you know if it's a bug that this doesn't work, or is it just not implemented? I assumed from the manpages that being able to specify more than one style implies that there's some kind of fallback mechanism. I just wanted to know whether it was worth filing a bug for this. Thanks - Ian -- Ian Chard, Senior Unix and Network Gorilla | E: ian.ch...@sers.ox.ac.uk Systems and Electronic Resources Service | T: 80587 / (01865) 280587 Oxford University Library Services | F: (01865) 242287
Re: Authentication method fallback not working
On 2009-08-28, Ian Chard ian.ch...@sers.ox.ac.uk wrote: On 27/08/09 13:44, Schvberle Daniel wrote: Hi, I'm using OpenBSD 4.5-stable, and I'm trying to configure RADIUS authentication. What I want is for the system to try the RADIUS server, and if it fails, fall back to the local password file. In login.conf I have auth-defaults:auth=radius,passwd:radius-server=my.radius.server If the RADIUS server isn't there for whatever reason, the system doesn't fallback to password file authentication. The same happens if I specify the methods the other way round: the RADIUS server is never tried even if the password-file-based login fails. I need to make sure that I can always log in even if the RADIUS server has gone away. Is it possible to configure the system in this way? Thanks - Ian Why not make a new login class for radius users and make yourself backup users in default class? Normally you'd login with users from the radius class and if that fails you'd use a user form the default class. Of course, that way you'd have to use different login names for the two classes. That's a good workaround, thanks. Do you know if it's a bug that this doesn't work, or is it just not implemented? I assumed from the manpages that being able to specify more than one style implies that there's some kind of fallback mechanism. I just wanted to know whether it was worth filing a bug for this. I used to use authentication styles for skey; as login(1) says, To specify the alternate authentication mechanism style, the string :style is appended to the user name (i.e., user:style). So you shouldn't need a separate account, just login as user:passwd. The existence of krb5-or-pwd suggests to me that there's probably no automatic fall-back but I haven't checked that.
Re: Authentication method fallback not working
Penned by Stuart Henderson on 20090828 8:51.04, we have: | On 2009-08-28, Ian Chard ian.ch...@sers.ox.ac.uk wrote: | On 27/08/09 13:44, Schvberle Daniel wrote: | Hi, | | I'm using OpenBSD 4.5-stable, and I'm trying to configure RADIUS | authentication. What I want is for the system to try the | RADIUS server, | and if it fails, fall back to the local password file. In | login.conf I have | | auth-defaults:auth=radius,passwd:radius-server=my.radius.server | | If the RADIUS server isn't there for whatever reason, the | system doesn't | fallback to password file authentication. The same happens | if I specify | the methods the other way round: the RADIUS server is never | tried even | if the password-file-based login fails. | | I need to make sure that I can always log in even if the | RADIUS server | has gone away. Is it possible to configure the system in this way? | | Thanks | - Ian | | Why not make a new login class for radius users and make yourself | backup users in default class? Normally you'd login with users from | the radius class and if that fails you'd use a user form the default class. | Of course, that way you'd have to use different login names for the | two classes. | | That's a good workaround, thanks. Do you know if it's a bug that this | doesn't work, or is it just not implemented? I assumed from the | manpages that being able to specify more than one style implies that | there's some kind of fallback mechanism. | | I just wanted to know whether it was worth filing a bug for this. | | I used to use authentication styles for skey; as login(1) says, To specify | the alternate authentication mechanism style, the string :style is appended | to the user name (i.e., user:style). | | So you shouldn't need a separate account, just login as user:passwd. | The existence of krb5-or-pwd suggests to me that there's probably no | automatic fall-back but I haven't checked that. There is indeed no automatic fallback. krb5-or-pwd makes it very clear that if you want fallback, you must create an auth method that does what you wish. The ability for me to login as 'todd:passwd' is invaluable to me, as even krb5-or-pwd sometimes has conditions where sshd default timeouts are not long enough. Aka if no default route is set, and the kerberos server is not on the local network, it times out quickly. Otherwise, if the network is up but the kerberos server is not reachable, it takes over 10min to fallback to passwd, during which time the 5min sshd default timeout times the connection out. Especially my firewall but lots of my systems have: auth-defaults:auth=krb5-or-pwd,passwd: Thanks, -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | ..in support of free software solutions. \ sip:freedae...@ekiga.net | \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: Authentication method fallback not working
Hi, I'm using OpenBSD 4.5-stable, and I'm trying to configure RADIUS authentication. What I want is for the system to try the RADIUS server, and if it fails, fall back to the local password file. In login.conf I have auth-defaults:auth=radius,passwd:radius-server=my.radius.server If the RADIUS server isn't there for whatever reason, the system doesn't fallback to password file authentication. The same happens if I specify the methods the other way round: the RADIUS server is never tried even if the password-file-based login fails. I need to make sure that I can always log in even if the RADIUS server has gone away. Is it possible to configure the system in this way? Thanks - Ian Why not make a new login class for radius users and make yourself backup users in default class? Normally you'd login with users from the radius class and if that fails you'd use a user form the default class. Of course, that way you'd have to use different login names for the two classes. Regards, Daniel.
Authentication method fallback not working
Hi, I'm using OpenBSD 4.5-stable, and I'm trying to configure RADIUS authentication. What I want is for the system to try the RADIUS server, and if it fails, fall back to the local password file. In login.conf I have auth-defaults:auth=radius,passwd:radius-server=my.radius.server If the RADIUS server isn't there for whatever reason, the system doesn't fallback to password file authentication. The same happens if I specify the methods the other way round: the RADIUS server is never tried even if the password-file-based login fails. I need to make sure that I can always log in even if the RADIUS server has gone away. Is it possible to configure the system in this way? Thanks - Ian -- Ian Chard, Senior Unix and Network Gorilla | E: ian.ch...@sers.ox.ac.uk Systems and Electronic Resources Service | T: 80587 / (01865) 280587 Oxford University Library Services | F: (01865) 242287
