# Prevent the following 1 rule from applying to rootauth [default=1 success=ignore] pam_succeed_if.so uid > 0# Configure PAM to use RADIUS with possible to local fallback, only if radius/proxy server is down..auth [success=done new_authtok_reqd=done ignore=ignore default=die] pam_radius_auth.so localifdownHello all,I'm developing PAM policy for a server in which my organization doesn't have control of the RADIUS infrastructure. This particular system is using the RADIUS PAM module only for authentication purposes -- an account must be present on the system in order for a login to be successful.The users of this system must never have access to two accounts -- one we'll call 'system' the other is 'root'. The PAM configuration has 'PAM_RADIUS auth sufficient' prior to Unix auth. I'm concerned that if a RADIUS administrator adds an account for 'root' or 'system' in the RADIUS infrastructure, the user will then get unauthorized "root" or "system" access.Has anyone on the list encountered a similar issue? After inspecting the RADIUS PAM module code, it appears that there aren't any hooks for disabling RADIUS auth for certain users. This appears to be a rather trivial feature to implement, if I add this functionality to the module, is there any interest in my patch? Any other ideas?Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html