PAM order (ssh login)

Nathan Ward lists+freeradius at
Sun Oct 2 02:38:21 CEST 2016


This is not a RADIUS question, it is a PAM question, so start here:
I have some notes below, though this is really a matter for a PAM list, so further discussion should probably be continued elsewhere.

Before changing PAM configuration, you should understand how it works, and what your existing configuration is doing. Getting PAM wrong is - obviously - very bad.

It is difficult to understand what you want to achieve here. Do you want local authentication to mean RADIUS isn’t consulted? I imagine that to be the case, but it is not explicit from your message. If that is the case, then I believe that the problem you are having is because success=1 makes PAM jump over the when returns success, and continue through the other modules, including to the module.

Perhaps you could increase this to 2, and insert below it with a success=1. I don’t know if that will work well in your environment, however, so please do not attempt this until you understand *in detail* exactly what you are doing.

One also wonders why you are sshing to a server with a root password..

Nathan Ward

> On 2/10/2016, at 03:14, Janis Heller <janis.heller at> wrote:
> I use pam_radius to protect my servers.
> Using the sshd file in /etc/pam.d with this config:
> # Standard Un*x authentication.
> @include common-auth
> auth sufficient client_id=server22
> My common-auth(/etc/pam.d/common-auth) looks like this:
> auth	sufficient             
> auth	[success=1 default=ignore] nullok_secure try_first_pass
> auth	requisite
> auth	required
> auth	optional 
> Now when I try to login using for example root account the password is sent to radius too (but system seems to ignore the radius answer).
> I already tried to change the order, I would like to modify PAM in a way, all the default (local) PAM checks are runned before a check is made to radius. Where’s my fault?
> I think checking each login request first local will speed up the server performance.
> All the best;
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list