pam_auth_radius - fallback with localifdown?

Martin Richard martin.richard at gmail.com
Tue Jun 22 22:40:09 CEST 2010


Hello,

  First off - if you think this doesnt belong here, just don't reply instead
of being caustic. I'm asking only because it both concerns pam and the
pam_radius_auth module (especially the localifdown option).  And I think it
could be of interest to others. I'll be asking  the pam-linux crowd too..

  I'm trying to setup PAM auth with pam_radius_auth to use the Radius
server's answer as final, unless there's no answer at all. This is what I
tried under linux:

----8<-----/etc/pam.d/sshd-----------
auth        required      /lib/security/$ISA/pam_env.so
auth       [success=done new_authtok_reqd=done ignore=ignore default=die]
pam_radius_auth.so localifdown debug
auth        sufficient    /lib/security/$ISA/pam_unix.so debug audit
likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so
auth       required     pam_nologin.so
----8<----------------------------------------

  My thinking was as follow:

  - If we get a success, we're done. Permit entry, but don't continue down
the stack to prevent local auth via pam_unix
  - If we get a failure, we're done, too. Deny entry, and don't continue
down the stack since it serves no purpose.
    (I don't want to get down to pam_unix: don't want an extra prompt,
passwords could be different, etc. If the radius server is up, its the only
authority I want.)

  Both these conditions should be covered with "done" and "die" in the
extended flags. What I'm next interested in is if we don't have an answer
from the radius server, via "localifdown" we should make the module return
PAM_IGNORE. Thus having ignore=ignore in the extended flag.

  Thing is, it doesn't work... If I mess up /etc/raddb/server to change the
key, the host entry or whatever to make sure I can't reach the radius
server, I don't seem to be going down the stack.. I just get denied access
and have no trace at all in the logs.

  I do not think pam_radius_auth is behaving wrongly - looking at the code
is simple enough, I do get "All RADIUS servers failed to respond" in the
SYSLOG, so it should clearly be returning PAM_IGNORE as documented.

  I'm wondering if anybody has tried such a setup ? Pointers and
constructive comments appreciated.

  Martin Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100622/347db196/attachment.html>


More information about the Freeradius-Users mailing list