Sunday, April 30, 2017

Help with authpf(8)

Hello

I am in the process of setting up the authpf(8) service on OpenBSD 6.1.
I
would like to have the users authenticate using radius. I have setup
the
login.conf (below) appropriately to achieve this, however I find that
when
I try to login with a user that is not on the system, the radius
authentication fails. I see that sshd(8) is sending out two radius auth
requests. One has the username w/o a password and one has a user of
NOUSER
with a password. Looking at the ssh code I can see that sshd is looking
for an account with the username and since one doesn't exist it is
calling
fakepw() to process fake information. I was trying to avoid having to
setup
the ypldap(8) + ldapd(8) dance to have user accounts on the system.

So my question, is there a way to setup authenticate users against
authpf(8)
without needing their accounts local or in YP?

Regards
Michael Graves

=== login.conf (comments removed)

# Default allowed authentication styles
auth-defaults:auth=passwd,skey:

# Default allowed authentication styles for authentication type ftp
auth-ftp-defaults:auth-ftp=passwd:

auth-ssh-defaults:auth-ssh=radius:

authpf-defaults:\
:shell=/usr/sbin/authpf:

default:\
:path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin
/usr/local/bin /usr/local/sbin:\
:umask=022:\
:datasize-max=768M:\
:datasize-cur=768M:\
:maxproc-max=256:\
:maxproc-cur=128:\
:openfiles-max=1024:\
:openfiles-cur=512:\
:stacksize-cur=4M:\
:localcipher=blowfish,a:\
:tc=auth-ssh-defaults:\
:tc=radius:\
:tc=auth-defaults:\
:tc=auth-ftp-defaults:

myclass:\
:auth=-mystyle:\
:tc=authpf-defaults:\
:tc=default:

radius:\
:radius-port=1812:\
:radius-server=10.1.2.1:\
:radius-timeout=1:\
:radius-retries=1:

daemon:\
:ignorenologin:\
:datasize=infinity:\
:maxproc=infinity:\
:openfiles-max=1024:\
:openfiles-cur=128:\
:stacksize-cur=8M:\
:localcipher=blowfish,a:\
:tc=default:

staff:\
:datasize-cur=1536M:\
:datasize-max=infinity:\
:maxproc-max=512:\
:maxproc-cur=256:\
:ignorenologin:\
:requirehome@:\
:tc=default:

authpf:\
:welcome=/etc/motd.authpf:\
:shell=/usr/sbin/authpf:\
:tc=default:

pbuild:\
:datasize-max=infinity:\
:datasize-cur=4096M:\
:maxproc-max=1024:\
:maxproc-cur=256:\
:tc=default:

bgpd:\
:openfiles=512:\
:tc=daemon:

unbound:\
:openfiles=512:\
:tc=daemon:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)