badpw[] = "\b\n\r\177INCORRECT"

Le Gal Philippe Philippe.LeGal at emea.eu.int
Tue Jan 31 22:22:38 EST 2006 

Thank you for your prompt answer Darren,

Unfortunately, it seems that nss_radius project looks like a dead-end as I can't find any module already written for it. I'm failty new to all this and I don't want to spend my time writing a nss_radius module.

Do you know if such a module exists somewhere ?

Thank you

Philippe

-----Original Message-----
From: Darren Tucker [mailto:dtucker at zip.com.au]
Sent: 30 January 2006 09:56
To: Le Gal Philippe
Cc: openssh-unix-dev at mindrot.org
Subject: Re: badpw[] = "\b\n\r\177INCORRECT"


On Mon, Jan 30, 2006 at 09:37:55AM -0000, Le Gal Philippe wrote:
> Hi !
> 
> I'm trying to authenticate users on a Linux Red hat AS 2.1 against a
> radius server.
> 
> I have upgraded my OpenSSHd to :
> OpenSSH_4.2p1, OpenSSL 0.9.6b [engine] 9 Jul 2001

> The users accounts are NOT stored locally on the sever (no accounts in
> /etc/passwd ). Users ssh to the box :   ssh test at testserver.com   passwd:
> test I'm usign PAM to direct the authentication request to the radius
> server. That part works fine.

> But the request coming to the radius looks like : 
> 
>         User-Name = "test"
>         User-Password = "\010\n\INCORRECT"

sshd does that when the user doesn't exist or is otherwise prohibitted
from logging on the the system in question (ie when they are flagged as
"invalid" or "illegal" users).

If it didn't do this then an attacker may be able to distinguish between
valid and invalid accounts and/or the correct password for an account
not permitted to log in at all via ssh (there's a CVE or two for these
type of problems).

> - I found that other OpenSSH user had a similar problem. Is there a
> workaround ? 

Configure your name service (eg nsswitch.conf) to return passwd entries
for your RADIUS users (eg with nss_radius).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

________________________________________________________________________
This e-mail has been scanned for all known viruses by EMEA.
________________________________________________________________________

More information about the openssh-unix-dev mailing list