FreeRADIUS/pam_radius

DISA STIG'd RHEL8 Cannot unlock vlock screen lock with RADIUS authentication

jullrey opened this issue · 3 comments

Description of problem:
I manage multiple DISA STIG'd RHEL 8 system. The default /etc/pam.d/vlock includes system-auth where I have my 'auth sufficient pam_radius_auth.so debug' line that works to allow RADIUS authentication to work when I am on the console or ssh to a server. I normally delete the local users password and only allow RADIUS auth on my RHEL 7 system and want to do the same on RHEL 8. However after I delete the local password and then tmux calls vlock, it will not unlock using RADIUS and will only unlock if I recreate a local password. I don't understand why the include system-auth in the /etc/pam.d/vlock doesn't handle this. I have tried adding the 'auth sufficient pam_radius_auth.so debug' line to the /etc/pam.d/vlock file but that doesn't work either. Is there something I can add to the /etc/pam.d/vlock file that will allow RADIUS authentication to unlock the screen?

Version-Release number of selected component (if applicable):
1.4.0 (pam_radius-1.4.0-15.el8.src.rpm)

How reproducible:
This happens on every RHEL8 server I build

Steps to Reproduce:

  1. Build a RHEL8 with DISA STIG security profile applied.
  2. Setup RADIUS authentication to an external RADIUS server (Cisco ISE etc.)
  3. Remove local password of a user.
  4. login at console or ssh to server as that user (using RADIUS Authentication)
  5. Wait for tmux to call vlock to lock the screen (900 seconds)
  6. try to unlock the screen using with user's RADIUS password (Does NOT work)
  7. from another terminal recreate the users locally stored password as root
  8. Unlock vlock using the user's locally stored password (Does work)

Actual results:
screen will not ulock using RADIUS password

Expected results:
screen unlock with RADIUS password

Additional info:
I opened a support case with Red Hat and this is all I got from them:
"We also do not support pam_radius, as that is an EPEL package"

Unfortunately this is a PAM issue, and we don't have any control over.

See if you can reproduce it with another module which is supported by redhat. But in general, RedHat is very good at "passing the buck" for support queries.

Well I guess I'll work on figuring out how to authenticate to Active Directory with LDAP. But then if I figure that out I won't actually need to authenticate using RADIUS anymore. The reason we have used RADIUS all these years is that pam_radius was just so easy to setup and pont to the TACACS (now ISE) server running a RADIUS service.

Thank you to Iker Pedrosa over on bugzilla for suggesting I use strace to figure out what vlock is doing under the covers. It took a while for me to get back to this and figure out how to test it with strace, but I did figure it out and it turned out to be a simple file permissions issue (he said sheepishly).

I ran vlock from my user account that doesn't have a password, and saw in the strace output that vlock couldn't open /etc/pam_radius.conf. 

ls -laZ pam_radius.conf
-rw-------. 1 root root system_u:object_r:etc_t:s0 2750 Nov 18 13:11 pam_radius.conf

chmod 644 pam_radius.conf

ls -laZ pam_radius.conf
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0 2750 Nov 18 13:11 pam_radius.conf

Yes, that's all it took to fix my problem.

I hate to admit how long I have been a Unix/Linux admin and never got around to using strace before this. (Yeah, I worked on IBM AIX and Sun Solaris back in the 90's)

Thanks,

John