badpw[] = "\b\n\r\177INCORRECT"
Darren Tucker
dtucker at zip.com.au
Mon Jan 30 20:55:39 EST 2006
On Mon, Jan 30, 2006 at 09:37:55AM -0000, Le Gal Philippe wrote:
> Hi !
>
> I'm trying to authenticate users on a Linux Red hat AS 2.1 against a
> radius server.
>
> I have upgraded my OpenSSHd to :
> OpenSSH_4.2p1, OpenSSL 0.9.6b [engine] 9 Jul 2001
> The users accounts are NOT stored locally on the sever (no accounts in
> /etc/passwd ). Users ssh to the box : ssh test at testserver.com passwd:
> test I'm usign PAM to direct the authentication request to the radius
> server. That part works fine.
> But the request coming to the radius looks like :
>
> User-Name = "test"
> User-Password = "\010\n\INCORRECT"
sshd does that when the user doesn't exist or is otherwise prohibitted
from logging on the the system in question (ie when they are flagged as
"invalid" or "illegal" users).
If it didn't do this then an attacker may be able to distinguish between
valid and invalid accounts and/or the correct password for an account
not permitted to log in at all via ssh (there's a CVE or two for these
type of problems).
> - I found that other OpenSSH user had a similar problem. Is there a
> workaround ?
Configure your name service (eg nsswitch.conf) to return passwd entries
for your RADIUS users (eg with nss_radius).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list