From danm@s2.ezzi.net  Thu Apr 29 14:02:53 2004
Return-Path: <danm@s2.ezzi.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 094C016A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 29 Apr 2004 14:02:53 -0700 (PDT)
Received: from s2.ezzi.net (s2.ezzi.net [65.125.224.20])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B6CA343D2D
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 29 Apr 2004 14:02:52 -0700 (PDT)
	(envelope-from danm@s2.ezzi.net)
Received: from s2.ezzi.net (localhost [127.0.0.1])
	by s2.ezzi.net (8.12.3p3/8.12.8) with ESMTP id i3TL8Drd099026
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 29 Apr 2004 17:08:13 -0400 (EDT)
	(envelope-from danm@s2.ezzi.net)
Received: (from root@localhost)
	by s2.ezzi.net (8.12.3p3/8.12.8/Submit) id i3TL8CdV099025;
	Thu, 29 Apr 2004 17:08:12 -0400 (EDT)
Message-Id: <200404292108.i3TL8CdV099025@s2.ezzi.net>
Date: Thu, 29 Apr 2004 17:08:12 -0400 (EDT)
From: Dan Mahoney <danm@prime.gushi.org>
Reply-To: Dan Mahoney <danm@prime.gushi.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: template_user is broken in pam_radius
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         66095
>Category:       bin
>Synopsis:       [pam] template_user is broken in pam_radius
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 29 14:10:05 PDT 2004
>Closed-Date:    Thu Feb 14 16:29:59 UTC 2008
>Last-Modified:  Thu Aug 11 21:30:11 UTC 2011
>Originator:     Dan Mahoney
>Release:        FreeBSD 4.6.2-RELEASE-p27 i386
>Organization:
>Environment:
System: FreeBSD s2.ezzi.net 4.6.2-RELEASE-p27 FreeBSD 4.6.2-RELEASE-p27 #0: Tue Apr 6 08:52:46 EDT 2004 danm@s2.ezzi.net:/usr/obj/usr/src/sys/GENERIC i386


	
>Description:

The pam_radius module's man page purports to be able to support a
"template user", i.e. when a user not listed in the local system attempts
to authenticate when pam_radius is in effect, instead, the login
credentials for "template_user" will be presented.

FreeBSD seems to authorize against radius correctly when a local user
exists, but when a non-local user tries to authenticate, the request is
NOT EVEN FORWARDED to the radius server.  Auth simply fails.

>How-To-Repeat:

/etc/radius.conf: 

auth    65.125.237.37   testing123
acct    65.125.237.37   testing123

/etc/pam.conf:

sshd    auth    sufficient      pam_skey.so
sshd    auth    sufficient      pam_opie.so                     no_fake_prompts
#sshd   auth    requisite       pam_opieaccess.so
#sshd   auth    sufficient      pam_kerberosIV.so               try_first_pass
#sshd   auth    sufficient      pam_krb5.so                     try_first_pass
sshd    auth    sufficient      pam_radius.so                   try_first_pass template_user=danm
sshd    auth    required        pam_unix.so                     try_first_pass
sshd    account sufficient      pam_radius.so                   try_first_pass template_user=danm
sshd    account required        pam_unix.so
sshd    password required       pam_permit.so
sshd    session required        pam_permit.so

try to log in as a user who is present on the radius server but not
present on the local system.

>Fix:

None known.


>Release-Note:
>Audit-Trail:

From: "C. Tate Baumrucker" <tate@baumrucker.org>
To: bug-followup@FreeBSD.org, danm@prime.gushi.org
Cc:  
Subject: Re: bin/66095: template_user is broken in pam_radius
Date: Tue, 01 Nov 2005 15:36:45 -0500

 Any hope for a patch re: template_user and pam_radius? 
 Running 6.0-RC1 and template_user doesn't seem to work.
  Any workaround?
 Thanks,
 Tate

From: "Dan Mahoney, System Admin" <danm@prime.gushi.org>
To: "C. Tate Baumrucker" <tate@baumrucker.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/66095: template_user is broken in pam_radius
Date: Tue, 1 Nov 2005 16:43:20 -0500 (EST)

 Tue, 1 Nov 2005 16:43:20 -0500 (EST)n Tue, 1 Nov 2005, C. Tate Baumrucker wrote:
 
 I wouldn't hold your breath.
 
 Personally, this little bug shot to hell any hope of using radius for 
 central auth on all our systems (because radius is a great common 
 denominator, even windows can speak it!)
 
 At the very least, the notation about the function should be removed.
 
 I'd fix it, but I do not speak C and have no IDEA where to even go about 
 trying to run a truss on something as crucial as PAM.
 
 -Dan
 
 --
 
 "Happy, Sad, Happy, Sad, Happy, Sad, Happy, Intruiged!  I've never been so
 in touch with my emotions!"
 
 -AndrAIa as Hexadecimal, Reboot Episode 3.2.3
 
 --------Dan Mahoney--------
 Techie,  Sysadmin,  WebGeek
 Gushi on efnet/undernet IRC
 ICQ: 13735144   AIM: LarpGM
 Site:  http://www.gushi.org
 ---------------------------
 
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Thu Feb 14 16:26:43 UTC 2008 
State-Changed-Why:  
This is actually a configuration error. 

At the point where pam_radius submits an authentication request to the 
server, it doesn't know (or care) whether the user exists in the local 
user database.  It doesn't make that check until after the user has been 
authenticated by the radius server. 

The only explanation for this is that the originator had something in 
their PAM configuratin that rejected the authentication attempt before 
it ever reached pam_radius.  This could easily have been verified by 
enabling debugging with the "debug" keyword in the appropriate PAM 
stack. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=66095 

From: markham breitbach <markham_breitbach@ssimicro.com>
To: bug-followup@FreeBSD.org, danm@prime.gushi.org
Cc:  
Subject: Re: bin/66095: [pam] template_user is broken in pam_radius
Date: Thu, 11 Aug 2011 14:41:11 -0600

 The problem I have with this explanation is that when pam_radius is configured with the
 template_user pam sends an invalid password hash to my radius server, causing my radius
 server to reject the auth.  When I create a local user account and remove template_user,
 it works as expected.

From: markham breitbach <markham_breitbach@ssimicro.com>
To: bug-followup@FreeBSD.org, danm@prime.gushi.org
Cc:  
Subject: Re: bin/66095: [pam] template_user is broken in pam_radius
Date: Thu, 11 Aug 2011 15:20:35 -0600

 Further to this, I have inserted some debug output into pam_radius.so.5 to output the
 password to syslog from the build_access_request.  When I have a local user account
 matching the login I am using it works correctly and logs me in and syslog shows my
 password as expected:
 
 Aug 11 17:09:22 ssi-knta-pd1 sshd[5464]: rad_mb_debug: MySecret
 
 When I remove the local user account pam_radius uses the incorrect password when
 generating the password hash for the radius packet.
 
 Aug 11 17:09:48 ssi-knta-pd1 sshd[5473]: rad_mb_debug: ^H ^M^?INCORRECT
 
 
>Unformatted:
