From pylej@shell13.ba.best.com  Tue Jul 17 16:29:24 2001
Return-Path: <pylej@shell13.ba.best.com>
Received: from shell13.ba.best.com (shell13.ba.best.com [206.184.139.144])
	by hub.freebsd.org (Postfix) with ESMTP id 58F6337B405
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 17 Jul 2001 16:29:24 -0700 (PDT)
	(envelope-from pylej@shell13.ba.best.com)
Received: (from pylej@localhost)
	by shell13.ba.best.com (8.9.3/8.9.2/best.sh) id QAA02868;
	Tue, 17 Jul 2001 16:29:07 -0700 (PDT)
Message-Id: <200107172329.QAA02868@shell13.ba.best.com>
Date: Tue, 17 Jul 2001 16:29:07 -0700 (PDT)
From: joe@pyle.com
Reply-To: joe@pyle.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: OpenSSH 2.5 and greater using PAM for remote authentication for Radius or TACACS
X-Send-Pr-Version: 3.2

>Number:         29049
>Category:       bin
>Synopsis:       <Remote authentication using PAM is overriden by OpenSSH>
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    green
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 17 16:30:00 PDT 2001
>Closed-Date:    Sat Jul 12 21:22:55 PDT 2003
>Last-Modified:  Sat Jul 12 21:22:55 PDT 2003
>Originator:     Joseph J. Pyle
>Release:        FreeBSD 2.2.8-STABLE i386
>Organization:
<Internet Consultant>
>Environment:

	

>Description:

	
A General problem with remote authentication where OpenSSH does local UID checking before it passes authentication control to PAM modules that authenticate users on remote authentication services like TACACS+ or Radius.    

Using functions like getpwnam simply override and duplicate PAM authentication schemes which may or may not issue the same problem.

These schemes with Radius or TACACS+ will both work when the username exists on the local Unix system authentication as found in the /etc/passwd and /etc/shadowfiles.

It is understood that OpenSSH has its own use for defining rules for local users and may need to check for there existence outside of using PAM. 

It would be nice to allow users of PAM to control the entire authentication scheme using PAM rules versus letting the application like OpenSSH define its own
scheme which happens to override PAM before it attempts to pass control on to
PAM modules.

>How-To-Repeat:

	
Using FreeRadius Server and PAM Module you can repeat the problem by configuringa user on the Radius Server that does not have a Unix account on the Client system. 

I can point to specific code to illustrate this scenario if desired.
>Fix:
	
	
Place PAM module checking first before local authentication verification.

auth2.c:189

    189         if (authctxt->attempt++ == 0) {
    190                 /* setup auth context */
    191                 struct passwd *pw = NULL;
    192                 pw = getpwnam(user);
    193                 if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) {
    194                         authctxt->pw = pwcopy(pw);
    195                         authctxt->valid = 1;
    196                         debug2("input_userauth_request: setting up authctxt for %s", user);
    197 #ifdef USE_PAM
    198                         start_pam(pw->pw_name);   

This area might be modified to try to do PAM authentication somewhere else
first and then implement this area of code?

It appears to be a non-trivial code change since this initialization using
the struct authctxt is done in many places first before doing start_pam.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: dd 
Responsible-Changed-When: Sun Jul 22 07:35:23 PDT 2001 
Responsible-Changed-Why:  
misfiled 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29049 
Responsible-Changed-From-To: freebsd-bugs->green 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sun Aug 19 02:42:10 PDT 2001 
Responsible-Changed-Why:  
Over to green, since this is allegedly a problem with our local mods to the code. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29049 
State-Changed-From-To: open->closed 
State-Changed-By: green 
State-Changed-When: Sat Jul 12 21:22:19 PDT 2003 
State-Changed-Why:  
Should not persist any longer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=29049 
>Unformatted:
