telling the difference between login failed or server is down
Andrew Morgan
morgan at kernel.org
Thu Mar 15 18:15:22 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The first question is whether the pam_radius_auth module returns
different status in these two situations.
Let's say it returns three things:
PAM_AUTHINFO_UNVAIL imlpying that the RADIUS server is down.
PAM_SUCCESS implying that a good password was entered
* ie., something else which means RADIUS knows it doesn't like you..
The following 'auth' config should work:
auth [success=done authinfo_unavail=ignore default=die] \
pam_radius_auth.so
auth required pam_unix_auth.so try_first_pass
I'm not sure whether requiring radius connectivity for the account and
session parts may require some special handling too, but this info
should help get you on the right track.
When you get it working, share your config file.. :-)
More info on the '[...]' config syntax is here:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html
Cheers
Andrew
Ken Partridge wrote:
> Hi All,
>
> I have just a simplistic RADIUS pam file
>
> # /etc/pam.d/login
> #RADIUS_CONFIGURATION
> auth sufficient pam_radius_auth.so
> auth sufficient pam_unix_auth.so try_first_pass
> account required pam_radius_auth.so
> password required pam_radius_auth.so
>
> The only way I want pam_unix_auth.so to execute is if the RADIUS server
> is down, if the user entered a wrong password for the user on the RADIUS
> server, I don't want pam_unix_auth.so to execute.
>
> So basically I need to be able to tell if the login failed either from a
> bad password or the RADIUS server was down. If the RADIUS server is
> down, I need the user to log on locally. If the RADIUS server is running
> and it was just a bad password, I want the process to fail and never try
> locally.
>
> Thanks
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFF+Y03QheEq9QabfIRAhT7AJ4kxIafyurwZbBEubi6TBesu10BYACeK0n4
Sk703Guz8iCMYDM4IEowMKA=
=3b68
-----END PGP SIGNATURE-----
More information about the Pam-list
mailing list