Re: PAM_IGNORE flag possibly not accepted/ignored ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2010-06-23 at 10:19 -0400, Martin Richard wrote:
> Hello,
> 
>   I'm trying to setup PAM on RHEL 4 / pam-0.77-66.25 to use Radius
> auth via pam_radius_auth (http://freeradius.org/pam_radius_auth/). By
> itself it works fine, but I would like to setup a fallback option if
> and only if the radius servers can't be reached.
> 
>   The module supports returning PAM_IGNORE if that's the case, via the
> "localifdown" option. So this means that I want a successful auth to
> quit the pam auth stack, an auth failure to also quit the stack (if
> the radius can be reached and refuses auth, it has authority, and I
> don't want to have another prompt or even test a local password in
> that case) and IF the module returns PAM_IGNORE, continue with the
> stack to try for local auth via pam_unix. Thus I tried this
> in /etc/pam.d/sshd:
> 
> ----8<-----/etc/pam.d/sshd-----------
> auth        required      /lib/security/$ISA/pam_env.so
> auth       [success=done new_authtok_reqd=done ignore=ignore
> default=die] pam_radius_auth.so localifdown debug
> auth        sufficient    /lib/security/$ISA/pam_unix.so debug audit
> likeauth nullok
> auth        required      /lib/security/$ISA/pam_deny.so
> auth       required     pam_nologin.so
> ----8<----------------------------------------
> 
>   The thing is, it doesn't work.. I'm looking for pointers about what
> I could be doing wrong, since in tests it seems the rest of the stack
> is never attempted if I force a failure in reaching the radius
> servers...
> 
>   Is there a way for example to turn on debug info in PAM ? From the
> point of view of the module I've verified and it should indeed be
> returning PAM_IGNORE. If that's the case, it seems the line isn't
> really ignore by PAM. The alternative is that something else is
> returned by pam_radius_auth but I have no trace of it.

You can replace pam_radius_auth.so with pam_debug.so auth=ignore - this
way you could see whether the stack works fine when PAM_IGNORE is
returned or not. 

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list


[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux