On Wed, 2010-06-23 at 10:19 -0400, Martin Richard wrote: > Hello, > > I'm trying to setup PAM on RHEL 4 / pam-0.77-66.25 to use Radius > auth via pam_radius_auth (http://freeradius.org/pam_radius_auth/). By > itself it works fine, but I would like to setup a fallback option if > and only if the radius servers can't be reached. > > The module supports returning PAM_IGNORE if that's the case, via the > "localifdown" option. So this means that I want a successful auth to > quit the pam auth stack, an auth failure to also quit the stack (if > the radius can be reached and refuses auth, it has authority, and I > don't want to have another prompt or even test a local password in > that case) and IF the module returns PAM_IGNORE, continue with the > stack to try for local auth via pam_unix. Thus I tried this > in /etc/pam.d/sshd: > > ----8<-----/etc/pam.d/sshd----------- > auth required /lib/security/$ISA/pam_env.so > auth [success=done new_authtok_reqd=done ignore=ignore > default=die] pam_radius_auth.so localifdown debug > auth sufficient /lib/security/$ISA/pam_unix.so debug audit > likeauth nullok > auth required /lib/security/$ISA/pam_deny.so > auth required pam_nologin.so > ----8<---------------------------------------- > > The thing is, it doesn't work.. I'm looking for pointers about what > I could be doing wrong, since in tests it seems the rest of the stack > is never attempted if I force a failure in reaching the radius > servers... > > Is there a way for example to turn on debug info in PAM ? From the > point of view of the module I've verified and it should indeed be > returning PAM_IGNORE. If that's the case, it seems the line isn't > really ignore by PAM. The alternative is that something else is > returned by pam_radius_auth but I have no trace of it. You can replace pam_radius_auth.so with pam_debug.so auth=ignore - this way you could see whether the stack works fine when PAM_IGNORE is returned or not. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
