freeradius note for system authentication

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

freeradius note for system authentication

Todd T. Fries-2
I'm not sure where this should go other than 'common knowledge to anyone
using system authentication in OpenBSD and freeradius' but ..

When one sets up freeradius to authenticate users based on system accounts,
one should take care to set the following in radiusd.conf:

        group = _shadow

instead of the default:

        group = _freeradius

which does not permit access to e.g. /etc/spwd.db and therefore silently
fails to authenticate any system user.

If there is an appropriate place to document this, please let me know, and
I'll happily write it up.

Thanks,
--
Todd Fries .. [hidden email]

 _____________________________________________
|                                             \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                 \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com             \  1.866.792.3418 (FAX)
| 2525 NW Expy #525, Oklahoma City, OK 73112  \  sip:[hidden email]
| "..in support of free software solutions."  \  sip:[hidden email]
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                 
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Reply | Threaded
Open this post in threaded view
|

Re: freeradius note for system authentication

Antoine Jacoutot-7
On Mon, 22 Aug 2011, Todd T. Fries wrote:

> I'm not sure where this should go other than 'common knowledge to anyone
> using system authentication in OpenBSD and freeradius' but ..
>
> When one sets up freeradius to authenticate users based on system accounts,
> one should take care to set the following in radiusd.conf:
>
> group = _shadow
>
> instead of the default:
>
> group = _freeradius
>
> which does not permit access to e.g. /etc/spwd.db and therefore silently
> fails to authenticate any system user.
>
> If there is an appropriate place to document this, please let me know, and
> I'll happily write it up.

Aren't you always the first one asking for sane defaults ;-)
Why don't you patch radiusd.conf in the port so that is uses _shadow?

--
Antoine

Reply | Threaded
Open this post in threaded view
|

Re: freeradius note for system authentication

Todd T. Fries-2
Penned by Antoine Jacoutot on 20110822 14:44.57, we have:
| On Mon, 22 Aug 2011, Todd T. Fries wrote:
|
| > I'm not sure where this should go other than 'common knowledge to anyone
| > using system authentication in OpenBSD and freeradius' but ..
| >
| > When one sets up freeradius to authenticate users based on system accounts,
| > one should take care to set the following in radiusd.conf:
| >
| > group = _shadow
| >
| > instead of the default:
| >
| > group = _freeradius
| >
| > which does not permit access to e.g. /etc/spwd.db and therefore silently
| > fails to authenticate any system user.
| >
| > If there is an appropriate place to document this, please let me know, and
| > I'll happily write it up.
|
| Aren't you always the first one asking for sane defaults ;-)
| Why don't you patch radiusd.conf in the port so that is uses _shadow?

Because this further requires a 'chgrp -R _shadow /etc/raddb' and if people
use a database or ldap or anything other than system users for authentication
it is not necessary, which is likely why I'm the first to encounter this.

Thanks,
--
Todd Fries .. [hidden email]

 _____________________________________________
|                                             \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                 \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com             \  1.866.792.3418 (FAX)
| 2525 NW Expy #525, Oklahoma City, OK 73112  \  sip:[hidden email]
| "..in support of free software solutions."  \  sip:[hidden email]
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                 
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Reply | Threaded
Open this post in threaded view
|

Re: freeradius note for system authentication

Antoine Jacoutot-7
On Mon, 22 Aug 2011, Todd T. Fries wrote:

> use a database or ldap or anything other than system users for authentication
> Penned by Antoine Jacoutot on 20110822 14:44.57, we have:
> | On Mon, 22 Aug 2011, Todd T. Fries wrote:
> |
> | > I'm not sure where this should go other than 'common knowledge to anyone
> | > using system authentication in OpenBSD and freeradius' but ..
> | >
> | > When one sets up freeradius to authenticate users based on system accounts,
> | > one should take care to set the following in radiusd.conf:
> | >
> | > group = _shadow
> | >
> | > instead of the default:
> | >
> | > group = _freeradius
> | >
> | > which does not permit access to e.g. /etc/spwd.db and therefore silently
> | > fails to authenticate any system user.
> | >
> | > If there is an appropriate place to document this, please let me know, and
> | > I'll happily write it up.
> |
> | Aren't you always the first one asking for sane defaults ;-)
> | Why don't you patch radiusd.conf in the port so that is uses _shadow?
>
> Because this further requires a 'chgrp -R _shadow /etc/raddb' and if people
> it is not necessary, which is likely why I'm the first to encounter this.

In this case, /etc/raddb/ could be made 755 in the port and the files
protected individualy (640 _freeradius:_shadow or 640
_freeradius:_freeradius ...), wouldn't this work?

--
Antoine

Reply | Threaded
Open this post in threaded view
|

Re: freeradius note for system authentication

Todd T. Fries-2
Penned by Antoine Jacoutot on 20110822 15:47.07, we have:
| On Mon, 22 Aug 2011, Todd T. Fries wrote:
|
| > use a database or ldap or anything other than system users for authentication
| > Penned by Antoine Jacoutot on 20110822 14:44.57, we have:
| > | On Mon, 22 Aug 2011, Todd T. Fries wrote:
| > |
| > | > I'm not sure where this should go other than 'common knowledge to anyone
| > | > using system authentication in OpenBSD and freeradius' but ..
| > | >
| > | > When one sets up freeradius to authenticate users based on system accounts,
| > | > one should take care to set the following in radiusd.conf:
| > | >
| > | > group = _shadow
| > | >
| > | > instead of the default:
| > | >
| > | > group = _freeradius
| > | >
| > | > which does not permit access to e.g. /etc/spwd.db and therefore silently
| > | > fails to authenticate any system user.
| > | >
| > | > If there is an appropriate place to document this, please let me know, and
| > | > I'll happily write it up.
| > |
| > | Aren't you always the first one asking for sane defaults ;-)
| > | Why don't you patch radiusd.conf in the port so that is uses _shadow?
| >
| > Because this further requires a 'chgrp -R _shadow /etc/raddb' and if people
| > it is not necessary, which is likely why I'm the first to encounter this.
|
| In this case, /etc/raddb/ could be made 755 in the port and the files
| protected individualy (640 _freeradius:_shadow or 640
| _freeradius:_freeradius ...), wouldn't this work?

I could be wrong but I believe the intent was to permit the limited user
read access to the files but not write access to the files.  This requires
the group to have read only access but not write privs, but I could be
missing something.

The files cannot be globally readable because e.g. users file can contain
passwords.
--
Todd Fries .. [hidden email]

 _____________________________________________
|                                             \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                 \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com             \  1.866.792.3418 (FAX)
| 2525 NW Expy #525, Oklahoma City, OK 73112  \  sip:[hidden email]
| "..in support of free software solutions."  \  sip:[hidden email]
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                 
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Reply | Threaded
Open this post in threaded view
|

Re: freeradius note for system authentication

Antoine Jacoutot-7
On Mon, 22 Aug 2011, Todd T. Fries wrote:

> Penned by Antoine Jacoutot on 20110822 15:47.07, we have:
> | On Mon, 22 Aug 2011, Todd T. Fries wrote:
> |
> | > use a database or ldap or anything other than system users for authentication
> | > Penned by Antoine Jacoutot on 20110822 14:44.57, we have:
> | > | On Mon, 22 Aug 2011, Todd T. Fries wrote:
> | > |
> | > | > I'm not sure where this should go other than 'common knowledge to anyone
> | > | > using system authentication in OpenBSD and freeradius' but ..
> | > | >
> | > | > When one sets up freeradius to authenticate users based on system accounts,
> | > | > one should take care to set the following in radiusd.conf:
> | > | >
> | > | > group = _shadow
> | > | >
> | > | > instead of the default:
> | > | >
> | > | > group = _freeradius
> | > | >
> | > | > which does not permit access to e.g. /etc/spwd.db and therefore silently
> | > | > fails to authenticate any system user.
> | > | >
> | > | > If there is an appropriate place to document this, please let me know, and
> | > | > I'll happily write it up.
> | > |
> | > | Aren't you always the first one asking for sane defaults ;-)
> | > | Why don't you patch radiusd.conf in the port so that is uses _shadow?
> | >
> | > Because this further requires a 'chgrp -R _shadow /etc/raddb' and if people
> | > it is not necessary, which is likely why I'm the first to encounter this.
> |
> | In this case, /etc/raddb/ could be made 755 in the port and the files
> | protected individualy (640 _freeradius:_shadow or 640
> | _freeradius:_freeradius ...), wouldn't this work?
>
> I could be wrong but I believe the intent was to permit the limited user
> read access to the files but not write access to the files.  This requires
> the group to have read only access but not write privs, but I could be
> missing something.

Yes which I why I wrote 640.

> The files cannot be globally readable because e.g. users file can contain
> passwords.

Yes which I why I wrote 640.

--
Antoine

Reply | Threaded
Open this post in threaded view
|

Re: freeradius note for system authentication

Todd T. Fries-2
In reply to this post by Antoine Jacoutot-7
Penned by Antoine Jacoutot on 20110822 15:47.07, we have:
| On Mon, 22 Aug 2011, Todd T. Fries wrote:
|
| > use a database or ldap or anything other than system users for authentication
| > Penned by Antoine Jacoutot on 20110822 14:44.57, we have:
| > | On Mon, 22 Aug 2011, Todd T. Fries wrote:
| > |
| > | > I'm not sure where this should go other than 'common knowledge to anyone
| > | > using system authentication in OpenBSD and freeradius' but ..
| > | >
| > | > When one sets up freeradius to authenticate users based on system accounts,
| > | > one should take care to set the following in radiusd.conf:
| > | >
| > | > group = _shadow
| > | >
| > | > instead of the default:
| > | >
| > | > group = _freeradius
| > | >
| > | > which does not permit access to e.g. /etc/spwd.db and therefore silently
| > | > fails to authenticate any system user.
| > | >
| > | > If there is an appropriate place to document this, please let me know, and
| > | > I'll happily write it up.
| > |
| > | Aren't you always the first one asking for sane defaults ;-)
| > | Why don't you patch radiusd.conf in the port so that is uses _shadow?
| >
| > Because this further requires a 'chgrp -R _shadow /etc/raddb' and if people
| > it is not necessary, which is likely why I'm the first to encounter this.
|
| In this case, /etc/raddb/ could be made 755 in the port and the files
| protected individualy (640 _freeradius:_shadow or 640
| _freeradius:_freeradius ...), wouldn't this work?
|
| --
| Antoine

Another alternative would be to have a setgroupid _shadow helper be called
from freeradius only accessable to the _freeradius user. ??

--
Todd Fries .. [hidden email]

 _____________________________________________
|                                             \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                 \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com             \  1.866.792.3418 (FAX)
| 2525 NW Expy #525, Oklahoma City, OK 73112  \  sip:[hidden email]
| "..in support of free software solutions."  \  sip:[hidden email]
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                 
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Reply | Threaded
Open this post in threaded view
|

Re: freeradius note for system authentication

Stuart Henderson
In reply to this post by Antoine Jacoutot-7
On 2011-08-22, Antoine Jacoutot <[hidden email]> wrote:

> On Mon, 22 Aug 2011, Todd T. Fries wrote:
>
>> I'm not sure where this should go other than 'common knowledge to anyone
>> using system authentication in OpenBSD and freeradius' but ..
>>
>> When one sets up freeradius to authenticate users based on system accounts,
>> one should take care to set the following in radiusd.conf:
>>
>> group = _shadow
>>
>> instead of the default:
>>
>> group = _freeradius
>>
>> which does not permit access to e.g. /etc/spwd.db and therefore silently
>> fails to authenticate any system user.
>>
>> If there is an appropriate place to document this, please let me know, and
>> I'll happily write it up.
>
> Aren't you always the first one asking for sane defaults ;-)
> Why don't you patch radiusd.conf in the port so that is uses _shadow?
>

I don't think that it's all that common to use system accounts as
a backend for radius, I think the current default (i.e. not allowing
the daemon access to spwd.db without special configuration) is sane,
personally I'd rather have this documented in a README than change
the default config.


Reply | Threaded
Open this post in threaded view
|

Re: freeradius note for system authentication

Dan Harnett-2
On Tue, Aug 23, 2011 at 11:51:56AM +0000, Stuart Henderson wrote:

> On 2011-08-22, Antoine Jacoutot <[hidden email]> wrote:
> > On Mon, 22 Aug 2011, Todd T. Fries wrote:
> >
> >> I'm not sure where this should go other than 'common knowledge to anyone
> >> using system authentication in OpenBSD and freeradius' but ..
> >>
> >> When one sets up freeradius to authenticate users based on system accounts,
> >> one should take care to set the following in radiusd.conf:
> >>
> >> group = _shadow
> >>
> >> instead of the default:
> >>
> >> group = _freeradius
> >>
> >> which does not permit access to e.g. /etc/spwd.db and therefore silently
> >> fails to authenticate any system user.
> >>
> >> If there is an appropriate place to document this, please let me know, and
> >> I'll happily write it up.
> >
> > Aren't you always the first one asking for sane defaults ;-)
> > Why don't you patch radiusd.conf in the port so that is uses _shadow?
> >
>
> I don't think that it's all that common to use system accounts as
> a backend for radius, I think the current default (i.e. not allowing
> the daemon access to spwd.db without special configuration) is sane,
> personally I'd rather have this documented in a README than change
> the default config.

I agree with Stuart.  And alternatively, you can simply add the
_freeradius user to the _shadow group to give it permission without
changing the port or current permissions.