Help with authpf(8)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Help with authpf(8)

Michael Graves
Hello

I am in the process of setting up the authpf(8) service on OpenBSD 6.1.  
I
would like to have the users authenticate using radius.  I have setup
the
login.conf (below) appropriately to achieve this, however I find that
when
I try to login with a user that is not on the system, the radius
authentication fails.  I see that sshd(8) is sending out two radius auth
requests.  One has the username w/o a password and one has a user of
NOUSER
with a password.  Looking at the ssh code I can see that sshd is looking
for an account with the username and since one doesn't exist it is
calling
fakepw() to process fake information.  I was trying to avoid having to
setup
the ypldap(8) + ldapd(8) dance to have user accounts on the system.

So my question,  is there a way to setup authenticate users against
authpf(8)
without needing their accounts local or in YP?

Regards
Michael Graves

=== login.conf (comments removed)

# Default allowed authentication styles
auth-defaults:auth=passwd,skey:

# Default allowed authentication styles for authentication type ftp
auth-ftp-defaults:auth-ftp=passwd:

auth-ssh-defaults:auth-ssh=radius:

authpf-defaults:\
         :shell=/usr/sbin/authpf:

default:\
         :path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin
/usr/local/bin /usr/local/sbin:\
         :umask=022:\
         :datasize-max=768M:\
         :datasize-cur=768M:\
         :maxproc-max=256:\
         :maxproc-cur=128:\
         :openfiles-max=1024:\
         :openfiles-cur=512:\
         :stacksize-cur=4M:\
         :localcipher=blowfish,a:\
         :tc=auth-ssh-defaults:\
         :tc=radius:\
         :tc=auth-defaults:\
         :tc=auth-ftp-defaults:

myclass:\
         :auth=-mystyle:\
         :tc=authpf-defaults:\
         :tc=default:

radius:\
         :radius-port=1812:\
         :radius-server=10.1.2.1:\
         :radius-timeout=1:\
         :radius-retries=1:

daemon:\
         :ignorenologin:\
         :datasize=infinity:\
         :maxproc=infinity:\
         :openfiles-max=1024:\
         :openfiles-cur=128:\
         :stacksize-cur=8M:\
         :localcipher=blowfish,a:\
         :tc=default:

staff:\
         :datasize-cur=1536M:\
         :datasize-max=infinity:\
         :maxproc-max=512:\
         :maxproc-cur=256:\
         :ignorenologin:\
         :requirehome@:\
         :tc=default:

authpf:\
         :welcome=/etc/motd.authpf:\
         :shell=/usr/sbin/authpf:\
         :tc=default:

pbuild:\
         :datasize-max=infinity:\
         :datasize-cur=4096M:\
         :maxproc-max=1024:\
         :maxproc-cur=256:\
         :tc=default:

bgpd:\
         :openfiles=512:\
         :tc=daemon:

unbound:\
         :openfiles=512:\
         :tc=daemon:

Reply | Threaded
Open this post in threaded view
|

Re: Help with authpf(8)

Stuart Henderson
On 2017-04-30, Michael Graves <[hidden email]> wrote:
> So my question,  is there a way to setup authenticate users against
> authpf(8) without needing their accounts local or in YP?

No. But depending on your environment, maybe it would work to
periodically pull from ldap and generate local accounts with the
login class set appropriately to use radius for authentication?