telling the difference between login failed or server is down

Andrew Morgan morgan at kernel.org
Thu Mar 15 18:15:22 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The first question is whether the pam_radius_auth module returns
different status in these two situations.

Let's say it returns three things:

  PAM_AUTHINFO_UNVAIL imlpying that the RADIUS server is down.
  PAM_SUCCESS implying that a good password was entered
  * ie., something else which means RADIUS knows it doesn't like you..

The following 'auth' config should work:

auth     [success=done authinfo_unavail=ignore default=die] \
                    pam_radius_auth.so
auth     required   pam_unix_auth.so try_first_pass

I'm not sure whether requiring radius connectivity for the account and
session parts may require some special handling too, but this info
should help get you on the right track.

When you get it working, share your config file.. :-)

More info on the '[...]' config syntax is here:

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html

Cheers

Andrew

Ken Partridge wrote:
> Hi All,
> 
> I have just a simplistic RADIUS pam file
> 
> # /etc/pam.d/login
> #RADIUS_CONFIGURATION
> auth            sufficient      pam_radius_auth.so
> auth sufficient pam_unix_auth.so try_first_pass
> account         required        pam_radius_auth.so
> password        required        pam_radius_auth.so
> 
> The only way I want pam_unix_auth.so to execute is if the RADIUS server
> is down, if the user entered a wrong password for the user on the RADIUS
> server, I don't want pam_unix_auth.so to execute.
> 
> So basically I need to be able to tell if the login failed either from a
> bad password or the RADIUS server was down. If the RADIUS server is
> down, I need the user to log on locally. If the RADIUS server is running
> and it was just a bad password, I want the process to fail and never try
> locally.
> 
> Thanks
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFF+Y03QheEq9QabfIRAhT7AJ4kxIafyurwZbBEubi6TBesu10BYACeK0n4
Sk703Guz8iCMYDM4IEowMKA=
=3b68
-----END PGP SIGNATURE-----

More information about the Pam-list mailing list