Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
O
openwrt-packages
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Container Registry
Model registry
Operate
Environments
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Issue analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Feed
openwrt-packages
Commits
726bed8e
Commit
726bed8e
authored
5 months ago
by
Markus Gothe
Browse files
Options
Downloads
Patches
Plain Diff
Revert "R#37811 - Tacacs/Radius authentication support"
This reverts commit
9838ecc5
.
parent
7e82947d
No related branches found
Branches containing commit
No related tags found
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
net/openssh/files/sshd.pam
+5
-11
5 additions, 11 deletions
net/openssh/files/sshd.pam
net/openssh/patches/0001_allow_non_local_users_ssh.patch
+0
-44
0 additions, 44 deletions
net/openssh/patches/0001_allow_non_local_users_ssh.patch
with
5 additions
and
55 deletions
net/openssh/files/sshd.pam
+
5
−
11
View file @
726bed8e
...
...
@@ -4,13 +4,16 @@
# /etc/security/pam_env.conf.
auth required pam_env.so
# Use RADIUS Server for authentication
# auth sufficient pam_radius_auth.so
# Skip Google Authenticator if logging in from the local network.
# auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-sshd-local.conf
# Google Authenticator 2-step verification.
# auth requisite pam_google_authenticator.so
# Standard Un*x authentication
, but fallback to radius if this fails
auth
sufficient pam_unix.so nullok_secure
# Standard Un*x authentication
.
auth
include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
...
...
@@ -19,15 +22,6 @@ account required pam_nologin.so
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Use RADIUS Server for authentication
auth sufficient pam_radius_auth.so
auth required pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# Standard Un*x authorization.
account include common-account
...
...
This diff is collapsed.
Click to expand it.
net/openssh/patches/0001_allow_non_local_users_ssh.patch
deleted
100644 → 0
+
0
−
44
View file @
7e82947d
diff --git a/auth-pam.c b/auth-pam.c
index 8323821..b7a750d 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -522,6 +522,12 @@
sshpam_thread(void *ctxtp)
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
+ // set user to root otherwise account/session management
+ // fails in case radius is used to authenticate
+ sshpam_err = pam_set_item(sshpam_handle, PAM_USER, "root");
+ if (sshpam_err != PAM_SUCCESS)
+ goto auth_fail;
+
if (!do_pam_account()) {
sshpam_err = PAM_ACCT_EXPIRED;
goto auth_fail;
@@ -1090,6 +1096,11 @@
do_pam_setcred(int init)
pam_strerror(sshpam_handle, sshpam_err));
if (init) {
debug("PAM: establishing credentials");
+ // credential might not be present in case radius is used
+ // so, set user to root
+ sshpam_err = pam_set_item(sshpam_handle, PAM_USER, "root");
+ if (sshpam_err != PAM_SUCCESS)
+ debug("PAM: could not set user to root");
sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
} else {
debug("PAM: reinitializing credentials");
diff --git a/monitor.c b/monitor.c
index 4cf79df..8875890 100644
--- a/monitor.c
+++ b/monitor.c
@@ -723,6 +723,10 @@
pwent = getpwnamallow(ssh, authctxt->user);
+ // to allow fall back to radius if local account is not present
+ if (!pwent)
+ pwent = getpwnamallow(ssh, "root");
+
setproctitle("%s [priv]", pwent ? authctxt->user : "unknown");
sshbuf_reset(m);
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment