diff options
author | zsdc <taras@vyos.io> | 2023-09-19 21:03:51 +0300 |
---|---|---|
committer | zsdc <taras@vyos.io> | 2023-09-19 21:03:51 +0300 |
commit | 784fb7dc2ccc63789ed85d803e3ae41eef0e0253 (patch) | |
tree | 39406e6df65ca07b431ac41605a47ce6c786186f | |
parent | 1c804685d05ad639bcb1a9ebce68a7a14268500f (diff) | |
download | vyos-1x-784fb7dc2ccc63789ed85d803e3ae41eef0e0253.tar.gz vyos-1x-784fb7dc2ccc63789ed85d803e3ae41eef0e0253.zip |
pam: T5577: Improved PAM configs for RADIUS and TACACS+
After sources analysis, we found the next possible return statuses for PAM
modules:
1. pam_tacplus
Auth:
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_AUTHTOK_ERR
- PAM_BUF_ERR
- PAM_CRED_INSUFFICIENT
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_USER_UNKNOWN
Account:
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_USER_UNKNOWN
Session:
- PAM_AUTHINFO_UNAVAIL
- PAM_SESSION_ERR
- PAM_SUCCESS
- PAM_USER_UNKNOWN
2. pam_radius_auth
Auth:
- PAM_ABORT
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_AUTHTOK_ERR
- PAM_BAD_ITEM
- PAM_BUF_ERR
- PAM_CONV_AGAIN
- PAM_CONV_ERR
- PAM_IGNORE
- PAM_NO_MODULE_DATA
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_SYSTEM_ERR
- PAM_USER_UNKNOWN
Account:
- PAM_SUCCESS
Session:
- PAM_ABORT
- PAM_AUTHINFO_UNAVAIL
- PAM_BAD_ITEM
- PAM_BUF_ERR
- PAM_CONV_AGAIN
- PAM_CONV_ERR
- PAM_IGNORE
- PAM_NO_MODULE_DATA
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_SYSTEM_ERR
- PAM_USER_UNKNOWN
PAM configurations were replaced with tuned versions to take this into account.
-rw-r--r-- | src/pam-configs/radius-mandatory | 8 | ||||
-rw-r--r-- | src/pam-configs/radius-optional | 4 | ||||
-rw-r--r-- | src/pam-configs/tacplus-mandatory | 8 | ||||
-rw-r--r-- | src/pam-configs/tacplus-optional | 8 |
4 files changed, 12 insertions, 16 deletions
diff --git a/src/pam-configs/radius-mandatory b/src/pam-configs/radius-mandatory index 43b6bd3e0..3368fe7ff 100644 --- a/src/pam-configs/radius-mandatory +++ b/src/pam-configs/radius-mandatory @@ -4,16 +4,16 @@ Priority: 576 Auth-Type: Primary Auth-Initial: - [default=ignore success=end perm_denied=bad auth_err=bad] pam_radius_auth.so + [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so Auth: - [default=ignore success=end perm_denied=bad auth_err=bad] pam_radius_auth.so use_first_pass + [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so use_first_pass Account-Type: Primary Account: [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet - [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_radius_auth.so + [default=ignore success=end] pam_radius_auth.so Session-Type: Additional Session: [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet - [default=ignore success=ok perm_denied=bad auth_err=bad] pam_radius_auth.so + [default=bad success=ok] pam_radius_auth.so diff --git a/src/pam-configs/radius-optional b/src/pam-configs/radius-optional index 9f6d5f0ea..73085061d 100644 --- a/src/pam-configs/radius-optional +++ b/src/pam-configs/radius-optional @@ -11,9 +11,9 @@ Auth: Account-Type: Primary Account: [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet - [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_radius_auth.so + [default=ignore success=end] pam_radius_auth.so Session-Type: Additional Session: [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet - [default=ignore success=ok perm_denied=bad auth_err=bad] pam_radius_auth.so + [default=ignore success=ok perm_denied=bad user_unknown=bad] pam_radius_auth.so diff --git a/src/pam-configs/tacplus-mandatory b/src/pam-configs/tacplus-mandatory index 92da02327..ffccece19 100644 --- a/src/pam-configs/tacplus-mandatory +++ b/src/pam-configs/tacplus-mandatory @@ -3,17 +3,15 @@ Default: no Priority: 576 Auth-Type: Primary -Auth-Initial: - [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login Auth: - [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass + [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_tacplus.so include=/etc/tacplus_servers login=login Account-Type: Primary Account: [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet - [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + [default=bad success=end] pam_tacplus.so include=/etc/tacplus_servers login=login Session-Type: Additional Session: [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet - [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + [default=bad success=ok] pam_tacplus.so include=/etc/tacplus_servers login=login diff --git a/src/pam-configs/tacplus-optional b/src/pam-configs/tacplus-optional index deed537d3..095c3a164 100644 --- a/src/pam-configs/tacplus-optional +++ b/src/pam-configs/tacplus-optional @@ -3,17 +3,15 @@ Default: no Priority: 576 Auth-Type: Primary -Auth-Initial: - [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login Auth: - [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass + [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login Account-Type: Primary Account: [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet - [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + [default=ignore success=end auth_err=bad perm_denied=bad user_unknown=bad] pam_tacplus.so include=/etc/tacplus_servers login=login Session-Type: Additional Session: [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet - [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + [default=ignore success=ok session_err=bad user_unknown=bad] pam_tacplus.so include=/etc/tacplus_servers login=login |