freebsd security - Aug 2005 - pam_radius fail open?

Okay, I guess I?ll be the first to take Colin Percival up in that the 
following statement applies to me:

?If you find a security problem -- or even if you find something which 
might possibly be a security problem but you're not certain if it is or 
not -- then please let us know.?

I recently installed pam_radius according to the instructions located at 
the following address:

https://www.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/PamRadius?shin=print.patern

The instructions were very helpful.

However, I?m not sure if I?ve mistakenly stumbled onto a fail open 
situation in that I?m fairly new to FreeBSD.  Namely, while configuring 
/etc/pam.conf to validate SSH login credentials via radius against our 
existing Active Directory, I mistakenly typed the line for ssh as follows:

ssh auth required pam_radius.so -update -/usr/local/etc/radius

mistakenly thinking that one specifies the protocol as opposed to the 
daemon.  Here is the result when I ssh in to the server from another host:

login as: smalone
Last login: Fri Aug 19 16:34:16 2005 from 10.3.20.101
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
         The Regents of the University of California.  All rights reserved.

FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Mar 25 20:58:42 CST 2005
$

The thing to note is that the system did not prompt me for a password. 
I got right in to a shell prompt.


Frightened, I then corrected the line to read:

sshd auth required pam_radius.so -update -/usr/local/etc/radius

and all worked as it should.  I could ssh into the system using my AD 
password and the log file on the IAS server recorded a successful radius 
auth from the host.

However, I then went back to the /etc/pam.conf file and commented out 
the ssh line all together resulting in a pam.conf that reads exactly as 
below:

$ cat /etc/pam.conf
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#

# auth

#sshd auth required pam_radius.so -update -/usr/local/etc/radius
#auth           required        pam_nologin.so          no_warn
#auth           sufficient      pam_opie.so             no_warn 
no_fake_prompts
#auth           requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn 
try_first_pass
#auth           sufficient      pam_ssh.so              no_warn 
try_first_pass
#auth           required        pam_unix.so             no_warn 
try_first_pass

# account
#account        required        pam_krb5.so
#account                required        pam_login_access.so
#account                required        pam_unix.so

# session
#session        optional        pam_ssh.so
#session                required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn 
try_first_pass
#password       required        pam_unix.so             no_warn 
try_first_pass
$

Basically, it?s an empty file as far as pam_radius knows.

Then I tried once more to ssh in to the server and was, once again, let 
in without being prompted for a password.

Thus, would it not only require someone to merely know the name of one 
of your users (such as an email username on an email host) to get a shell?

Is this a fail open?

Regards,

Sean Malone

On 8/19/05, Sean P. Malone <smalone@udallas.edu>
wrote:
> $ cat /etc/pam.conf
> #
> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
> #
> # PAM configuration for the "sshd" service
> #
> 
> # auth
> 
> #sshd auth required pam_radius.so -update -/usr/local/etc/radius
> #auth           required        pam_nologin.so          no_warn
> Basically, it's an empty file as far as pam_radius knows.
> 
I think you incorrectly configured your system, you should have edited
the /etc/pam.d/sshd file and added the pam_radius in there as:

auth required pam_radius.so -update -/usr/local/etc/radius

When you created the /etc/pam.conf file, you told PAM to not look in
the /etc/pam.d directory for config info for any of the services
listed in /etc/pam.d.  This caused it to not know how to authenticate
any logins, which resulted in it allowing all logins.

I believe this is also why you were able to log into your system with just a:

ssh auth required pam_radius.so -update -/usr/local/etc/radius

in your /etc/pam.conf, as there was no entry for sshd in pam.conf.

Scot
-- 
DISCLAIMER:
No electrons were mamed while sending this message. Only slightly bruised.

"Sean P. Malone" <smalone@udallas.edu>
writes:
> I recently installed pam_radius according to the instructions located
> at the following address:
>
>
https://www.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/PamRadius?shin=print.patern
why?  5.3 ships with pam_radius(8).
> However, I'm not sure if I've mistakenly stumbled onto a fail open
> situation in that I'm fairly new to FreeBSD.  Namely, while
> configuring /etc/pam.conf to validate SSH login credentials via radius
> against our existing Active Directory, I mistakenly typed the line for
> ssh as follows:  [...]
I am surprised that editing /etc/pam.conf had any effect at all, since
/etc/pam.d/sshd takes precedence.  Are you running a clean 5.3
install, or did you upgrade from 4.x?

And yes, PAM does fail open when no configuration exists.  You can
easily change that by creating /etc/pam.d/default with the following
contents:

auth      required      pam_deny.so
account   required      pam_deny.so
session   required      pam_deny.so
password  requires      pam_deny.so

or slightly less easily by adding the appropriate check around line
100 of src/contrib/openpam/lib/openpam_dispatch.c, like NetBSD did:

        if (chain == NULL)
                RETURNC(PAM_SYSTEM_ERR);

DES
-- 
Dag-Erling Sm?rgrav - des@des.no