trying to override the pam_auth attribute

Jonathan Davis jonathan at
Fri Aug 27 20:36:52 CEST 2021

On 2021-08-27 10:47 a.m., Alan DeKok wrote:
>> That was the only text I had added when I started, not a lot to tell at that point.
>    The point is that there are many configuration files, each of which can be hundreds of lines of text.  "I added stuff" tells me nothing.  Where did you add it?  Which file?  Where in the file?

Sorry, multiple thread replies in, and I guess it wasn't clear. At the 
start, I had only added the line "pam_auth = newradiusd" to authorize {} 
of sites-enabled/default

>> I got tripped up and originally approached it from the thought that if an attribute (which I was thinking as a variable) was set as "pam_auth" (lowercause and an underscore), that I would be required to updated it by using "pam_auth = <new value>". Having it switch to camel case with a dash wasn't clicking.
>    Or use the same name?  I don't know of any programming language where you can change case of variable names, *and* change dashes to underscores, and it will just "do the right thing".

That's right, I was looking at it from different perspective (being 
ignorant of Attribute-Names and update <lists>. I saw the following in 

pam {
     pam_auth = radiusd

And the note about how it could be overridden in authorize, so I lifted 
"pam_auth = radiusd". To me, it was unexpected that a value set to 
"pam_auth" would need to be updated with "Pam-Auth", and again ignorant 
of Attribute-Names and that the Note was very specifically pointing to 

It's obvious now and I feel foolish heh.

What's the reason behind it being updated in the authorize section? My 
novice understanding is that authorize is where FreeRadius checks 
modules to see which one is up to trying to authenticate the request?

I've also got some other questions related to breaking down users vs 
clients vs virtual_servers, with all this in place, but that's possibly 
best started in a new thread with all the details included.

Thank you again for your assistance.


>> But I'm eating my humble pie, and having revisited the docs on unlang, the intro about the intention not to create yet another programming language, and re-reading the docs on update with a fresh morning brain free of distractions, I caught that it was the control keyword as the list was missing, and that no list specified was defaulting to request, and am able to override values set in the pam.conf to allow different yubico yubikey_mapping files by specifying different pam configuration files.
>    Yup.  Technical details matter.
>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list