Revert "R#37811 - Tacacs/Radius authentication support"

This reverts commit 9838ecc5.

Revert "R#37811 - Tacacs/Radius authentication support"
726bed8e · Markus Gothe · 7e82947d · 726bed8e · 7e82947d
Commit 726bed8e authored 5 months ago by Markus Gothe
--- a/net/openssh/files/sshd.pam
+++ b/net/openssh/files/sshd.pam
@@ -4,13 +4,16 @@
 # /etc/security/pam_env.conf.
 auth       required     pam_env.so

+# Use RADIUS Server for authentication
+# auth       sufficient   pam_radius_auth.so
+
 # Skip Google Authenticator if logging in from the local network.
 # auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-sshd-local.conf
 # Google Authenticator 2-step verification.
 # auth       requisite    pam_google_authenticator.so

-# Standard Un*x authentication, but fallback to radius if this fails
-auth       sufficient   pam_unix.so     nullok_secure
+# Standard Un*x authentication.
+auth       include      common-auth

 # Disallow non-root logins when /etc/nologin exists.
 account    required     pam_nologin.so
@@ -19,15 +22,6 @@ account    required     pam_nologin.so
 # access limits that are hard to express in sshd_config.
 # account    required     pam_access.so

-# Use RADIUS Server for authentication
-auth       sufficient   pam_radius_auth.so
-
-auth       required     pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-auth       required     pam_permit.so
-
 # Standard Un*x authorization.
 account    include      common-account


--- a/net/openssh/patches/0001_allow_non_local_users_ssh.patch
+++ b/net/openssh/patches/0001_allow_non_local_users_ssh.patch
-diff --git a/auth-pam.c b/auth-pam.c
-index 8323821..b7a750d 100644
--- a/auth-pam.c
-+++ b/auth-pam.c
-@@ -522,6 +522,12 @@ sshpam_thread(void *ctxtp)
- 	if (sshpam_err != PAM_SUCCESS)
- 		goto auth_fail;
- 
-+	// set user to root otherwise account/session management
-+	// fails in case radius is used to authenticate
-+	sshpam_err = pam_set_item(sshpam_handle, PAM_USER, "root");
-+	if (sshpam_err != PAM_SUCCESS)
-+		goto auth_fail;
-+
- 	if (!do_pam_account()) {
- 		sshpam_err = PAM_ACCT_EXPIRED;
- 		goto auth_fail;
-@@ -1090,6 +1096,11 @@ do_pam_setcred(int init)
- 		    pam_strerror(sshpam_handle, sshpam_err));
- 	if (init) {
- 		debug("PAM: establishing credentials");
-+		// credential might not be present in case radius is used
-+		// so, set user to root
-+		sshpam_err = pam_set_item(sshpam_handle, PAM_USER, "root");
-+		if (sshpam_err != PAM_SUCCESS)
-+			debug("PAM: could not set user to root");
- 		sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
- 	} else {
- 		debug("PAM: reinitializing credentials");
-diff --git a/monitor.c b/monitor.c
-index 4cf79df..8875890 100644
--- a/monitor.c
-+++ b/monitor.c
-@@ -723,6 +723,10 @@
- 
- 	pwent = getpwnamallow(ssh, authctxt->user);
- 
-+	// to allow fall back to radius if local account is not present
-+	if (!pwent)
-+		pwent = getpwnamallow(ssh, "root");
-+
- 	setproctitle("%s [priv]", pwent ? authctxt->user : "unknown");
- 
- 	sshbuf_reset(m);