Dear PAM module developers,
There are four types of control flags defined by the PAM standard:
required, requisite, sufficient, and optional.
I need one more type of control flag.
1. This type is similar to requisite type if network/AAA server are up
and an authentication module
(either pam_ldap, pam_radius, or pam_tacacs) returns Success or Failure.
2. This authentication type should be similar to sufficient type if the
authentication module returns Failure
due to the network condition or remote server status
(AAA server is down, deamon doesn't run to authenticate an request from
client, network is down, and etc.)
In this case control will be passed to the next authentication
method.
I enclosed configuration file for better problem understanding.
new_type is a new authentication type to meet above-mentioned
requirements.
debugshell#more /etc/pam.d/pam_config
#%PAM-1.0
auth new_type
/lib/security/pam_tacplus.so server=172.19.226.182
auth required
/lib/security/pam_unix.so
account new_type /lib/security/pam_tacplus.so server=172.19.226.182
account required /lib/security/pam_unix.so
session required /lib/security/pam_unix.so
I appreciate any suggestions and advices before I start new
authentication type implementation.
Thank you very much for help,
Leon
