Hello list,
I've searched and googled quite a bit for a solution to this, but didn't find
any. I can't get PAM_RADIUS working with
a TEMPLATE_USER for remote logins with SSHD. If I overlooked anything, any
hints will be highly appreciated.
The situation is as follows:
A radius authorization backend system, server A, has user ALICE, with a
password, and user BOB, with a password.
Another server, server B, is using PAM_RADIUS for radius authentication on SSHD
for remote logins. While attempting to
figure out how pam_radius works on server B, pam (/etc/pam.d/sshd) is
configured like this:
auth sufficient pam_radius.so try_first_pass
template_user=bob debug
account sufficient pam_radius.so template_user=bob debug
password sufficient pam_radius.so try_first_pass
template_user=bob debug
On server B, Bob has a plain vanilla Unix account in /etc/passwd, with an
existing shell and homedirectory. When using
the pam config shown above, Bob is asked for his radius password from server A
(as expected) when he tries to login
with ssh. This works perfectly Ok for Bob: Radius authentication is working on
server B when using ssh to login - in
this case regardless of his password. So far so good.
Since Bob has special privileges on server B, his account will be the template
for a small group of other users,
effectively sharing the bob-account - not Bobs' password - with others.
Template_user should provide for this, from
the pam_radius man-page:
template_user=username
specifies a user whose passwd(5) entry will be used as a tem-
plate to create the session environment
if the supplied user- name does not exist in local password database. The user
will be authenticated with the
supplied username and pass- word, but his credentials to the system will be
presented as the ones for username, i.e.,
his login class, home directory, resource limits, etc. will be set to ones
defined for username.
If this option is omitted, and there is no username in the
system databases equal to the supplied one
(as determined by call to getpwnam(3)), the authentication will fail.
As pam is configured with 'template_user=bob', it would be expected that user
'alice' - an account that doesn't exist
on server B in /etc/passwd - should be able to login with ssh since Bob can
login... Oddly enough, logging in ONLY
works for user 'alice' when the account exists in /etc/passwd on server B.
Which would still require all the accounts
being present on server B, and thus defeating the purpose of a template_user.
It seems that template_user has no
effect, no matter which password (alice/bob) is used. Sshd is actually
complaining about pam: "fatal: Internal error:
PAM auth succeeded when it should have failed".
>From what I've googled it seems that this topic is returning every now and
>then, without any clear solution. Some do
indeed point to OpenSSH
(http://www.usenet-forums.com/openssh-development/336942-sshd-pam_radius-under-freebsd.html#post706102).
I haven't
tested this with telnetd or others. To put it another way: I've found no
document that explains why a pam_radius
template_user shouldn't work with sshd.
Can this be done at all? Am I overlooking anything? Should I send-pr this? Or
am I totally misreading the man-page?
Any help is much appreciated.
Thanks!
Jacco
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
