Re: pam_radius: mutiple bad logins hitting radius server

[Alan DeKok]

J S wrote:
  
  I'm running pam_radius 1.3.16 on Solaris 10 using a Cisco ACS backend
 that authenticates to an MS AD server.
 I'm running into an issue where a user will fail a single login attempt
 (one username/password challenge with a bad password) and the ACS will
 record 3 attempts from the client (the Solaris 10 server). after a
 single attempt (or a valid login with a local password) the 3 fails
 bollixes up the AD login attempts and locks the user out. Am I missing a
 compile option to only attempt a single RADIUS login per authentication
 or do I possible have pam.conf misconfigured. I use sshd-kbdint and
 sshd-password with the same results. Otherwise the system works well.

  The module will re-send the request if it doesn't get a response from
the RADIUS server.  Or, if the response is sent from the wrong IP (i.e.
the RADIUS server has multiple IP's).  Or, if the shared secret is
incorrect.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pam_radius: mutiple bad logins hitting radius server

[J S]

That's good to know. What seems odd, though, is that it resends the same
request in quick, sub-second succession (based on the RADIUS server logs).
This case has a single RADIUS server at a single IP and a single secret that
works when the correct password is sent (and only 1 log entry), but a wrong
entry is 3 failures.


On 4/24/07, Alan DeKok [EMAIL PROTECTED] wrote:


J S wrote:

  I'm running pam_radius 1.3.16 on Solaris 10 using a Cisco ACS backend
 that authenticates to an MS AD server.
 I'm running into an issue where a user will fail a single login attempt
 (one username/password challenge with a bad password) and the ACS will
 record 3 attempts from the client (the Solaris 10 server). after a
 single attempt (or a valid login with a local password) the 3 fails
 bollixes up the AD login attempts and locks the user out. Am I missing a
 compile option to only attempt a single RADIUS login per authentication
 or do I possible have pam.conf misconfigured. I use sshd-kbdint and
 sshd-password with the same results. Otherwise the system works well.

The module will re-send the request if it doesn't get a response from
the RADIUS server.  Or, if the response is sent from the wrong IP (i.e.
the RADIUS server has multiple IP's).  Or, if the shared secret is
incorrect.

Alan DeKok.
--
http://deployingradius.com   - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pam_radius: mutiple bad logins hitting radius server

[Alan DeKok]

J S wrote:
  That's good to know. What seems odd, though, is that it resends the
 same request in quick, sub-second succession (based on the RADIUS server
 logs).

  Well, that's a problem.  The intent of the module is to wait for the
timeout before sending the next packet.  Something appears to be waking
the module up early, but I'm not sure what to suggest.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

pam_radius: mutiple bad logins hitting radius server

[J S]

I'm running pam_radius 1.3.16 on Solaris 10 using a Cisco ACS backend that
authenticates to an MS AD server.
I'm running into an issue where a user will fail a single login attempt (one
username/password challenge with a bad password) and the ACS will record 3
attempts from the client (the Solaris 10 server). after a single attempt (or
a valid login with a local password) the 3 fails bollixes up the AD login
attempts and locks the user out. Am I missing a compile option to only
attempt a single RADIUS login per authentication or do I possible have
pam.conf misconfigured. I use sshd-kbdint and sshd-password with the same
results. Otherwise the system works well.


#  pam_radius_auth configuration file.  Copy to: /etc/raddb/server
#
#  For proper security, this file SHOULD have permissions 0600,
#  that is readable by root, and NO ONE else.  If anyone other than
#  root can read this file, then they can spoof responses from the server!
#
#  There are 3 fields per line in this file.  There may be multiple
#  lines.  Blank lines or lines beginning with '#' are treated as
#  comments, and are ignored.  The fields are:
#
#  server[:port] secret [timeout]
#
#  the port name or number is optional.  The default port name is
#  radius, and is looked up from /etc/services The timeout field is
#  optional.  The default timeout is 3 seconds.
#
#  If multiple RADIUS server lines exist, they are tried in order.  The
#  first server to return success or failure causes the module to return
#  success or failure.  Only if a server fails to response is it skipped,
#  and the next server in turn is used.
#
#  The timeout field controls how many seconds the module waits before
#  deciding that the server has failed to respond.
#
# server[:port] shared_secret  timeout (s)
#127.0.0.1  secret 1
#other-serverother-secret   3
localhost   secret  3
10.0.0.10:2048    3

#
# having localhost in your radius configuration is a Good Thing.
#
# See the INSTALL file for pam.conf hints.


bash-3.00# cat /etc/pam.conf
#
#ident  @(#)pam.conf   1.2804/04/21 SMI
#
# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the other section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth sufficient /usr/lib/security/pam_radius_auth.so.1 debug
login   auth requisite  pam_authtok_get.so.1
login   auth required   pam_dhkeys.so.1
login   auth required   pam_unix_cred.so.1
login   auth required   pam_unix_auth.so.1
login   auth required   pam_dial_auth.so.1
#
telnet  authsufficient  /usr/lib/security/pam_radius_auth.so.1 debug
#telnet authrequired/usr/lib/security/pam_unix.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient pam_rhosts_auth.so.1
rlogin  auth requisite  pam_authtok_get.so.1
rlogin  auth required   pam_dhkeys.so.1
rlogin  auth required   pam_unix_cred.so.1
rlogin  auth required   pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required   pam_unix_cred.so.1
krlogin auth bindingpam_krb5.so.1
krlogin auth required   pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required   pam_unix_cred.so.1
#
# Kerberized rsh service
#
krshauth required   pam_unix_cred.so.1
krshauth bindingpam_krb5.so.1
krshauth required   pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required   pam_unix_cred.so.1
ktelnet auth bindingpam_krb5.so.1
ktelnet auth required   pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite  pam_authtok_get.so.1
ppp auth required   pam_dhkeys.so.1
ppp auth required   pam_unix_cred.so.1
ppp auth required   pam_unix_auth.so.1
ppp auth required   pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite  pam_authtok_get.so.1
other   auth required   pam_dhkeys.so.1
other   auth required   pam_unix_cred.so.1
other   auth required   pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required   pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cronaccount