PAM order (ssh login)

Janis Heller janis.heller at
Sat Oct 1 16:14:44 CEST 2016

I use pam_radius to protect my servers.
Using the sshd file in /etc/pam.d with this config:

# Standard Un*x authentication.
@include common-auth

auth sufficient client_id=server22

My common-auth(/etc/pam.d/common-auth) looks like this:

auth	sufficient             
auth	[success=1 default=ignore] nullok_secure try_first_pass
auth	requisite
auth	required
auth	optional 

Now when I try to login using for example root account the password is sent to radius too (but system seems to ignore the radius answer).
I already tried to change the order, I would like to modify PAM in a way, all the default (local) PAM checks are runned before a check is made to radius. Where’s my fault?
I think checking each login request first local will speed up the server performance.

All the best;

More information about the Freeradius-Users mailing list