PAM order (ssh login)

Janis Heller janis.heller at outlook.de
Sat Oct 1 16:14:44 CEST 2016


I use pam_radius to protect my servers.
Using the sshd file in /etc/pam.d with this config:

# Standard Un*x authentication.
@include common-auth

auth sufficient pam_radius_auth.so client_id=server22


My common-auth(/etc/pam.d/common-auth) looks like this:

auth	sufficient                      pam_script.so 
auth	[success=1 default=ignore]	pam_unix.so nullok_secure try_first_pass
auth	requisite			pam_deny.so
auth	required			pam_permit.so
auth	optional			pam_cap.so 

Now when I try to login using for example root account the password is sent to radius too (but system seems to ignore the radius answer).
I already tried to change the order, I would like to modify PAM in a way, all the default (local) PAM checks are runned before a check is made to radius. Where’s my fault?
I think checking each login request first local will speed up the server performance.

All the best;




More information about the Freeradius-Users mailing list