Skip to content
Snippets Groups Projects
Commit 726bed8e authored by Markus Gothe's avatar Markus Gothe :ok_hand:
Browse files

Revert "R#37811 - Tacacs/Radius authentication support"

This reverts commit 9838ecc5.
parent 7e82947d
No related branches found
No related tags found
No related merge requests found
......@@ -4,13 +4,16 @@
# /etc/security/pam_env.conf.
auth required pam_env.so
# Use RADIUS Server for authentication
# auth sufficient pam_radius_auth.so
# Skip Google Authenticator if logging in from the local network.
# auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-sshd-local.conf
# Google Authenticator 2-step verification.
# auth requisite pam_google_authenticator.so
# Standard Un*x authentication, but fallback to radius if this fails
auth sufficient pam_unix.so nullok_secure
# Standard Un*x authentication.
auth include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
......@@ -19,15 +22,6 @@ account required pam_nologin.so
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Use RADIUS Server for authentication
auth sufficient pam_radius_auth.so
auth required pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# Standard Un*x authorization.
account include common-account
......
diff --git a/auth-pam.c b/auth-pam.c
index 8323821..b7a750d 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -522,6 +522,12 @@ sshpam_thread(void *ctxtp)
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
+ // set user to root otherwise account/session management
+ // fails in case radius is used to authenticate
+ sshpam_err = pam_set_item(sshpam_handle, PAM_USER, "root");
+ if (sshpam_err != PAM_SUCCESS)
+ goto auth_fail;
+
if (!do_pam_account()) {
sshpam_err = PAM_ACCT_EXPIRED;
goto auth_fail;
@@ -1090,6 +1096,11 @@ do_pam_setcred(int init)
pam_strerror(sshpam_handle, sshpam_err));
if (init) {
debug("PAM: establishing credentials");
+ // credential might not be present in case radius is used
+ // so, set user to root
+ sshpam_err = pam_set_item(sshpam_handle, PAM_USER, "root");
+ if (sshpam_err != PAM_SUCCESS)
+ debug("PAM: could not set user to root");
sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
} else {
debug("PAM: reinitializing credentials");
diff --git a/monitor.c b/monitor.c
index 4cf79df..8875890 100644
--- a/monitor.c
+++ b/monitor.c
@@ -723,6 +723,10 @@
pwent = getpwnamallow(ssh, authctxt->user);
+ // to allow fall back to radius if local account is not present
+ if (!pwent)
+ pwent = getpwnamallow(ssh, "root");
+
setproctitle("%s [priv]", pwent ? authctxt->user : "unknown");
sshbuf_reset(m);
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment