PAM order (ssh login)
Janis Heller
janis.heller at outlook.de
Sat Oct 1 16:14:44 CEST 2016
I use pam_radius to protect my servers.
Using the sshd file in /etc/pam.d with this config:
# Standard Un*x authentication.
@include common-auth
auth sufficient pam_radius_auth.so client_id=server22
My common-auth(/etc/pam.d/common-auth) looks like this:
auth sufficient pam_script.so
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
Now when I try to login using for example root account the password is sent to radius too (but system seems to ignore the radius answer).
I already tried to change the order, I would like to modify PAM in a way, all the default (local) PAM checks are runned before a check is made to radius. Where’s my fault?
I think checking each login request first local will speed up the server performance.
All the best;
More information about the Freeradius-Users
mailing list