From c5dbc2049fd4fb2da6a0173611970978b11ec362 Mon Sep 17 00:00:00 2001
From: zsdc <taras@vyos.io>
Date: Tue, 19 Sep 2023 21:03:51 +0300
Subject: pam: T5577: Improved PAM configs for RADIUS and TACACS+
After sources analysis, we found the next possible return statuses for PAM
modules:
1. pam_tacplus
Auth:
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_AUTHTOK_ERR
- PAM_BUF_ERR
- PAM_CRED_INSUFFICIENT
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_USER_UNKNOWN
Account:
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_USER_UNKNOWN
Session:
- PAM_AUTHINFO_UNAVAIL
- PAM_SESSION_ERR
- PAM_SUCCESS
- PAM_USER_UNKNOWN
2. pam_radius_auth
Auth:
- PAM_ABORT
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_AUTHTOK_ERR
- PAM_BAD_ITEM
- PAM_BUF_ERR
- PAM_CONV_AGAIN
- PAM_CONV_ERR
- PAM_IGNORE
- PAM_NO_MODULE_DATA
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_SYSTEM_ERR
- PAM_USER_UNKNOWN
Account:
- PAM_SUCCESS
Session:
- PAM_ABORT
- PAM_AUTHINFO_UNAVAIL
- PAM_BAD_ITEM
- PAM_BUF_ERR
- PAM_CONV_AGAIN
- PAM_CONV_ERR
- PAM_IGNORE
- PAM_NO_MODULE_DATA
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_SYSTEM_ERR
- PAM_USER_UNKNOWN
PAM configurations were replaced with tuned versions to take this into account.
---
src/pam-configs/radius-mandatory | 8 ++++----
src/pam-configs/radius-optional | 4 ++--
src/pam-configs/tacplus-mandatory | 8 +++-----
src/pam-configs/tacplus-optional | 8 +++-----
4 files changed, 12 insertions(+), 16 deletions(-)
diff --git a/src/pam-configs/radius-mandatory b/src/pam-configs/radius-mandatory
index 43b6bd3e0..3368fe7ff 100644
--- a/src/pam-configs/radius-mandatory
+++ b/src/pam-configs/radius-mandatory
@@ -4,16 +4,16 @@ Priority: 576
Auth-Type: Primary
Auth-Initial:
- [default=ignore success=end perm_denied=bad auth_err=bad] pam_radius_auth.so
+ [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so
Auth:
- [default=ignore success=end perm_denied=bad auth_err=bad] pam_radius_auth.so use_first_pass
+ [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so use_first_pass
Account-Type: Primary
Account:
[default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
- [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_radius_auth.so
+ [default=ignore success=end] pam_radius_auth.so
Session-Type: Additional
Session:
[default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
- [default=ignore success=ok perm_denied=bad auth_err=bad] pam_radius_auth.so
+ [default=bad success=ok] pam_radius_auth.so
diff --git a/src/pam-configs/radius-optional b/src/pam-configs/radius-optional
index 9f6d5f0ea..73085061d 100644
--- a/src/pam-configs/radius-optional
+++ b/src/pam-configs/radius-optional
@@ -11,9 +11,9 @@ Auth:
Account-Type: Primary
Account:
[default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
- [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_radius_auth.so
+ [default=ignore success=end] pam_radius_auth.so
Session-Type: Additional
Session:
[default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
- [default=ignore success=ok perm_denied=bad auth_err=bad] pam_radius_auth.so
+ [default=ignore success=ok perm_denied=bad user_unknown=bad] pam_radius_auth.so
diff --git a/src/pam-configs/tacplus-mandatory b/src/pam-configs/tacplus-mandatory
index 92da02327..ffccece19 100644
--- a/src/pam-configs/tacplus-mandatory
+++ b/src/pam-configs/tacplus-mandatory
@@ -3,17 +3,15 @@ Default: no
Priority: 576
Auth-Type: Primary
-Auth-Initial:
- [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
Auth:
- [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass
+ [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_tacplus.so include=/etc/tacplus_servers login=login
Account-Type: Primary
Account:
[default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
- [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
+ [default=bad success=end] pam_tacplus.so include=/etc/tacplus_servers login=login
Session-Type: Additional
Session:
[default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
- [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
+ [default=bad success=ok] pam_tacplus.so include=/etc/tacplus_servers login=login
diff --git a/src/pam-configs/tacplus-optional b/src/pam-configs/tacplus-optional
index deed537d3..095c3a164 100644
--- a/src/pam-configs/tacplus-optional
+++ b/src/pam-configs/tacplus-optional
@@ -3,17 +3,15 @@ Default: no
Priority: 576
Auth-Type: Primary
-Auth-Initial:
- [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login
Auth:
- [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass
+ [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login
Account-Type: Primary
Account:
[default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
- [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
+ [default=ignore success=end auth_err=bad perm_denied=bad user_unknown=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
Session-Type: Additional
Session:
[default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
- [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
+ [default=ignore success=ok session_err=bad user_unknown=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
--
cgit v1.2.3