From 2a023b878471500bd78962ca94d9174a328ce5c9 Mon Sep 17 00:00:00 2001 From: zsdc Date: Wed, 13 Sep 2023 12:41:04 +0300 Subject: RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUS In CLI we can choose authentication logic: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode. --- src/pam-configs/radius-mandatory | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 src/pam-configs/radius-mandatory (limited to 'src/pam-configs/radius-mandatory') diff --git a/src/pam-configs/radius-mandatory b/src/pam-configs/radius-mandatory new file mode 100644 index 000000000..43b6bd3e0 --- /dev/null +++ b/src/pam-configs/radius-mandatory @@ -0,0 +1,19 @@ +Name: RADIUS authentication (mandatory mode) +Default: no +Priority: 576 + +Auth-Type: Primary +Auth-Initial: + [default=ignore success=end perm_denied=bad auth_err=bad] pam_radius_auth.so +Auth: + [default=ignore success=end perm_denied=bad auth_err=bad] pam_radius_auth.so use_first_pass + +Account-Type: Primary +Account: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_radius_auth.so + +Session-Type: Additional +Session: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=ignore success=ok perm_denied=bad auth_err=bad] pam_radius_auth.so -- cgit v1.2.3 From c5dbc2049fd4fb2da6a0173611970978b11ec362 Mon Sep 17 00:00:00 2001 From: zsdc Date: Tue, 19 Sep 2023 21:03:51 +0300 Subject: pam: T5577: Improved PAM configs for RADIUS and TACACS+ After sources analysis, we found the next possible return statuses for PAM modules: 1. pam_tacplus Auth: - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_AUTHTOK_ERR - PAM_BUF_ERR - PAM_CRED_INSUFFICIENT - PAM_PERM_DENIED - PAM_SUCCESS - PAM_USER_UNKNOWN Account: - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_PERM_DENIED - PAM_SUCCESS - PAM_USER_UNKNOWN Session: - PAM_AUTHINFO_UNAVAIL - PAM_SESSION_ERR - PAM_SUCCESS - PAM_USER_UNKNOWN 2. pam_radius_auth Auth: - PAM_ABORT - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_AUTHTOK_ERR - PAM_BAD_ITEM - PAM_BUF_ERR - PAM_CONV_AGAIN - PAM_CONV_ERR - PAM_IGNORE - PAM_NO_MODULE_DATA - PAM_PERM_DENIED - PAM_SUCCESS - PAM_SYSTEM_ERR - PAM_USER_UNKNOWN Account: - PAM_SUCCESS Session: - PAM_ABORT - PAM_AUTHINFO_UNAVAIL - PAM_BAD_ITEM - PAM_BUF_ERR - PAM_CONV_AGAIN - PAM_CONV_ERR - PAM_IGNORE - PAM_NO_MODULE_DATA - PAM_PERM_DENIED - PAM_SUCCESS - PAM_SYSTEM_ERR - PAM_USER_UNKNOWN PAM configurations were replaced with tuned versions to take this into account. --- src/pam-configs/radius-mandatory | 8 ++++---- src/pam-configs/radius-optional | 4 ++-- src/pam-configs/tacplus-mandatory | 8 +++----- src/pam-configs/tacplus-optional | 8 +++----- 4 files changed, 12 insertions(+), 16 deletions(-) (limited to 'src/pam-configs/radius-mandatory') diff --git a/src/pam-configs/radius-mandatory b/src/pam-configs/radius-mandatory index 43b6bd3e0..3368fe7ff 100644 --- a/src/pam-configs/radius-mandatory +++ b/src/pam-configs/radius-mandatory @@ -4,16 +4,16 @@ Priority: 576 Auth-Type: Primary Auth-Initial: - [default=ignore success=end perm_denied=bad auth_err=bad] pam_radius_auth.so + [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so Auth: - [default=ignore success=end perm_denied=bad auth_err=bad] pam_radius_auth.so use_first_pass + [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so use_first_pass Account-Type: Primary Account: [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet - [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_radius_auth.so + [default=ignore success=end] pam_radius_auth.so Session-Type: Additional Session: [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet - [default=ignore success=ok perm_denied=bad auth_err=bad] pam_radius_auth.so + [default=bad success=ok] pam_radius_auth.so diff --git a/src/pam-configs/radius-optional b/src/pam-configs/radius-optional index 9f6d5f0ea..73085061d 100644 --- a/src/pam-configs/radius-optional +++ b/src/pam-configs/radius-optional @@ -11,9 +11,9 @@ Auth: Account-Type: Primary Account: [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet - [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_radius_auth.so + [default=ignore success=end] pam_radius_auth.so Session-Type: Additional Session: [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet - [default=ignore success=ok perm_denied=bad auth_err=bad] pam_radius_auth.so + [default=ignore success=ok perm_denied=bad user_unknown=bad] pam_radius_auth.so diff --git a/src/pam-configs/tacplus-mandatory b/src/pam-configs/tacplus-mandatory index 92da02327..ffccece19 100644 --- a/src/pam-configs/tacplus-mandatory +++ b/src/pam-configs/tacplus-mandatory @@ -3,17 +3,15 @@ Default: no Priority: 576 Auth-Type: Primary -Auth-Initial: - [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login Auth: - [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass + [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_tacplus.so include=/etc/tacplus_servers login=login Account-Type: Primary Account: [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet - [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + [default=bad success=end] pam_tacplus.so include=/etc/tacplus_servers login=login Session-Type: Additional Session: [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet - [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + [default=bad success=ok] pam_tacplus.so include=/etc/tacplus_servers login=login diff --git a/src/pam-configs/tacplus-optional b/src/pam-configs/tacplus-optional index deed537d3..095c3a164 100644 --- a/src/pam-configs/tacplus-optional +++ b/src/pam-configs/tacplus-optional @@ -3,17 +3,15 @@ Default: no Priority: 576 Auth-Type: Primary -Auth-Initial: - [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login Auth: - [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass + [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login Account-Type: Primary Account: [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet - [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + [default=ignore success=end auth_err=bad perm_denied=bad user_unknown=bad] pam_tacplus.so include=/etc/tacplus_servers login=login Session-Type: Additional Session: [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet - [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + [default=ignore success=ok session_err=bad user_unknown=bad] pam_tacplus.so include=/etc/tacplus_servers login=login -- cgit v1.2.3