Hello,<br><br> First off - if you think this doesnt belong here, just don't reply instead of being caustic. I'm asking only because it both concerns pam and the pam_radius_auth module (especially the localifdown option). And I think it could be of interest to others. I'll be asking the pam-linux crowd too..<br>
<br> I'm trying to setup PAM auth with pam_radius_auth to use the Radius server's answer as final, unless there's no answer at all. This is what I tried under linux:<br><br>----8<-----/etc/pam.d/sshd-----------<br>
auth required /lib/security/$ISA/pam_env.so<br>
auth [success=done new_authtok_reqd=done ignore=ignore default=die] pam_radius_auth.so localifdown debug<br>auth sufficient /lib/security/$ISA/pam_unix.so debug audit likeauth nullok<br>auth required /lib/security/$ISA/pam_deny.so<br>
auth required pam_nologin.so<br>----8<----------------------------------------<br><br> My thinking was as follow:<br><br> - If we get a success, we're done. Permit entry, but don't continue down the stack to prevent local auth via pam_unix<br>
- If we get a failure, we're done, too. Deny entry, and don't continue down the stack since it serves no purpose.<br> (I don't want to get down to pam_unix: don't want an extra prompt, passwords could be different, etc. If the radius server is up, its the only authority I want.)<br>
<br> Both these conditions should be covered with "done" and "die" in the extended flags. What I'm next interested in is if we don't have an answer from the radius server, via "localifdown" we should make the module return PAM_IGNORE. Thus having ignore=ignore in the extended flag.<br>
<br> Thing is, it doesn't work... If I mess up /etc/raddb/server to change the key, the host entry or whatever to make sure I can't reach the radius server, I don't seem to be going down the stack.. I just get denied access and have no trace at all in the logs.<br>
<br> I do not think pam_radius_auth is behaving wrongly - looking at the code is simple enough, I do get "All RADIUS servers failed to respond" in the SYSLOG, so it should clearly be returning PAM_IGNORE as documented. <br>
<br> I'm wondering if anybody has tried such a setup ? Pointers and constructive comments appreciated.<br><br> Martin Richard<br><br>