From c5dbc2049fd4fb2da6a0173611970978b11ec362 Mon Sep 17 00:00:00 2001 From: zsdc Date: Tue, 19 Sep 2023 21:03:51 +0300 Subject: pam: T5577: Improved PAM configs for RADIUS and TACACS+ After sources analysis, we found the next possible return statuses for PAM modules: 1. pam_tacplus Auth: - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_AUTHTOK_ERR - PAM_BUF_ERR - PAM_CRED_INSUFFICIENT - PAM_PERM_DENIED - PAM_SUCCESS - PAM_USER_UNKNOWN Account: - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_PERM_DENIED - PAM_SUCCESS - PAM_USER_UNKNOWN Session: - PAM_AUTHINFO_UNAVAIL - PAM_SESSION_ERR - PAM_SUCCESS - PAM_USER_UNKNOWN 2. pam_radius_auth Auth: - PAM_ABORT - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_AUTHTOK_ERR - PAM_BAD_ITEM - PAM_BUF_ERR - PAM_CONV_AGAIN - PAM_CONV_ERR - PAM_IGNORE - PAM_NO_MODULE_DATA - PAM_PERM_DENIED - PAM_SUCCESS - PAM_SYSTEM_ERR - PAM_USER_UNKNOWN Account: - PAM_SUCCESS Session: - PAM_ABORT - PAM_AUTHINFO_UNAVAIL - PAM_BAD_ITEM - PAM_BUF_ERR - PAM_CONV_AGAIN - PAM_CONV_ERR - PAM_IGNORE - PAM_NO_MODULE_DATA - PAM_PERM_DENIED - PAM_SUCCESS - PAM_SYSTEM_ERR - PAM_USER_UNKNOWN PAM configurations were replaced with tuned versions to take this into account. --- src/pam-configs/radius-mandatory | 8 ++++---- src/pam-configs/radius-optional | 4 ++-- src/pam-configs/tacplus-mandatory | 8 +++----- src/pam-configs/tacplus-optional | 8 +++----- 4 files changed, 12 insertions(+), 16 deletions(-) diff --git a/src/pam-configs/radius-mandatory b/src/pam-configs/radius-mandatory index 43b6bd3e0..3368fe7ff 100644 --- a/src/pam-configs/radius-mandatory +++ b/src/pam-configs/radius-mandatory @@ -4,16 +4,16 @@ Priority: 576 Auth-Type: Primary Auth-Initial: - [default=ignore success=end perm_denied=bad auth_err=bad] pam_radius_auth.so + [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so Auth: - [default=ignore success=end perm_denied=bad auth_err=bad] pam_radius_auth.so use_first_pass + [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so use_first_pass Account-Type: Primary Account: [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet - [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_radius_auth.so + [default=ignore success=end] pam_radius_auth.so Session-Type: Additional Session: [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet - [default=ignore success=ok perm_denied=bad auth_err=bad] pam_radius_auth.so + [default=bad success=ok] pam_radius_auth.so diff --git a/src/pam-configs/radius-optional b/src/pam-configs/radius-optional index 9f6d5f0ea..73085061d 100644 --- a/src/pam-configs/radius-optional +++ b/src/pam-configs/radius-optional @@ -11,9 +11,9 @@ Auth: Account-Type: Primary Account: [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet - [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_radius_auth.so + [default=ignore success=end] pam_radius_auth.so Session-Type: Additional Session: [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet - [default=ignore success=ok perm_denied=bad auth_err=bad] pam_radius_auth.so + [default=ignore success=ok perm_denied=bad user_unknown=bad] pam_radius_auth.so diff --git a/src/pam-configs/tacplus-mandatory b/src/pam-configs/tacplus-mandatory index 92da02327..ffccece19 100644 --- a/src/pam-configs/tacplus-mandatory +++ b/src/pam-configs/tacplus-mandatory @@ -3,17 +3,15 @@ Default: no Priority: 576 Auth-Type: Primary -Auth-Initial: - [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login Auth: - [default=ignore success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass + [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_tacplus.so include=/etc/tacplus_servers login=login Account-Type: Primary Account: [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet - [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + [default=bad success=end] pam_tacplus.so include=/etc/tacplus_servers login=login Session-Type: Additional Session: [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet - [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + [default=bad success=ok] pam_tacplus.so include=/etc/tacplus_servers login=login diff --git a/src/pam-configs/tacplus-optional b/src/pam-configs/tacplus-optional index deed537d3..095c3a164 100644 --- a/src/pam-configs/tacplus-optional +++ b/src/pam-configs/tacplus-optional @@ -3,17 +3,15 @@ Default: no Priority: 576 Auth-Type: Primary -Auth-Initial: - [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login Auth: - [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login use_first_pass + [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login Account-Type: Primary Account: [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet - [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + [default=ignore success=end auth_err=bad perm_denied=bad user_unknown=bad] pam_tacplus.so include=/etc/tacplus_servers login=login Session-Type: Additional Session: [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet - [default=ignore success=ok perm_denied=bad auth_err=bad] pam_tacplus.so include=/etc/tacplus_servers login=login + [default=ignore success=ok session_err=bad user_unknown=bad] pam_tacplus.so include=/etc/tacplus_servers login=login -- cgit v1.2.3