[j-nsp] su using radius

Pierfrancesco Caci pf at caci.it
Fri Nov 5 03:42:41 EDT 2010 

On Thu, 04 Nov 2010 18:19:46 +0100
Pierfrancesco Caci <pf at caci.it> wrote:

> 
> That said, su using radius comes a bit of a surprise. Is this a known
> issue, is there some workaround ?

more info (thanks ras!):

[9.2R4.4] and [9.5R3.7]

% cat /etc/pam.conf
su auth sufficient pam_rootok.so no_warn
su auth sufficient pam_self.so   no_warn
su auth requisite  pam_group.so  no_warn group=wheel fail_safe root_only
su auth required   pam_unix.so   try_first_pass
login   auth    sufficient      pam_radius.so conf=/var/etc/pam_radius.conf template_user=remote       try_first_pass no_warn
login   account sufficient      pam_radius.so conf=/var/etc/pam_radius.conf template_user=remote
login   password        required        pam_radius.so conf=/var/etc/pam_radius.conf template_user=remote 
login   auth    required        pam_unix.so     local_fallback no_warn
login   session required        pam_permit.so
login   account required        pam_unix.so


[9.6R1.13]
% cat /etc/pam.conf
su auth sufficient pam_rootok.so no_warn
su auth sufficient pam_self.so   no_warn
su auth include    login
su auth required   pam_unix.so   try_first_pass
login   auth    sufficient      pam_radius.so conf=/var/etc/pam_radius.conf template_user=remote       try_first_pass no_warn
login   account sufficient      pam_radius.so conf=/var/etc/pam_radius.conf template_user=remote
login   password        required        pam_radius.so conf=/var/etc/pam_radius.conf template_user=remote 
login   auth    required        pam_unix.so     local_fallback no_warn
login   session required        pam_permit.so
login   account required        pam_unix.so


--- pam9.2	2010-11-05 08:14:01.000000000 +0100
+++ pam9.6	2010-11-05 08:13:48.000000000 +0100
@@ -1,7 +1,7 @@
 % cat /etc/pam.conf
 su auth sufficient pam_rootok.so no_warn
 su auth sufficient pam_self.so   no_warn
-su auth requisite  pam_group.so  no_warn group=wheel fail_safe root_only
+su auth include    login
 su auth required   pam_unix.so   try_first_pass
 login   auth    sufficient      pam_radius.so conf=/var/etc/pam_radius.conf template_user=remote       try_first_pass no_warn
 login   account sufficient      pam_radius.so conf=/var/etc/pam_radius.conf template_user=remote


so somewhere between 9.5 and 9.6 they changed the pam configuration
for su. Changing authorization-order to [radius password] makes me
able to su again, but exposes my last resort user when radius is
reachable, which I don't want. 



-- 
Pierfrancesco Caci <pf at caci.it>

More information about the juniper-nsp mailing list