Sudo no longer working with RADIUS logins after upgrade to 5.4

We're seeing a strange issue where logging into a newly-upgraded 5.4 machine with a RADIUS login works fine, but when trying to use sudo to execute commands, I get "incorrect password attempts" in /var/log/secure. Transcript of this (server name censored to "foo", user censored to "user"), log

Re: Sudo no longer working with RADIUS logins after upgrade to 5.4

Should also add that a /usr/bin/sudo binary copied over from a 5.3 machine works as expected. Thanks, Andrew Klettke Systems Admin Optic Fusion On 11/06/2013 11:17 AM, Andrew Klettke wrote: We're seeing a strange issue where logging into a newly-upgraded 5.4 machine with a RADIUS login works

Re: Sudo no longer working with RADIUS logins after upgrade to 5.4

Hey man, hope you're doing well. The new version of sudo definitely breaks radius support somehow. Old binary on newly-upgraded server, calling "login_radius" as expected: 32409 sudo CALL lstat(0xcfbda248,0xcfbd9fe0) 32409 sudo NAMI "/usr/libexec/auth/login_radius" 32409 sudo S

Re: Sudo no longer working with RADIUS logins after upgrade to 5.4

The only change I see to sudo between 5.3 and 5.4 that might be related is this one. You could try backing it out via "patch -R" and see if the old behavior is restored. - todd Index: sudo.c === RCS file: /home/cvs/openbsd/src/usr.

Re: Sudo no longer working with RADIUS logins after upgrade to 5.4

On 11/06/13 20:47, Andrew Klettke wrote: Hey man, hope you're doing well. The new version of sudo definitely breaks radius support somehow. Old binary on newly-upgraded server, calling "login_radius" as expected: 32409 sudo CALL lstat(0xcfbda248,0xcfbd9fe0) 32409 sudo NAMI "/usr/l

Re: Sudo no longer working with RADIUS logins after upgrade to 5.4

On 11/06/2013 12:26 PM, Alexander Hall wrote: On 11/06/13 20:47, Andrew Klettke wrote: Hey man, hope you're doing well. The new version of sudo definitely breaks radius support somehow. Old binary on newly-upgraded server, calling "login_radius" as expected: 32409 sudo CALL lstat(0xcfbda

Re: Sudo no longer working with RADIUS logins after upgrade to 5.4

On Wed, 06 Nov 2013 13:01:38 -0800, Andrew Klettke wrote: > Which is odd, and definitely incorrect, as it works with the old binary, > and radius is set up correctly in login.conf (IP censored): > > radius:\ > :auth=radius:\ > :radius-server=***.***.***.***:\ > :ignorenologin:\ > :requirehome@:\

Re: Sudo no longer working with RADIUS logins after upgrade to 5.4

On Wed, Nov 06, 2013 at 14:29, Todd C. Miller wrote: > Basically, sudo is using the authentication style of the destination > user (in this case root) instead of the invoking user. A workaround > may be to configure root to use radius authentication. Is this the correct behavior? As I understand

Re: Sudo no longer working with RADIUS logins after upgrade to 5.4

On Thu, 07 Nov 2013 00:08:00 -0500, Ted Unangst wrote: > Is this the correct behavior? As I understand it, when I run sudo, it > asks for my password because it wants me to prove I'm me. I don't have > to authenticate as the destination user, so why is the destination > user's auth style being use