PAM_IGNORE flag possibly not accepted/ignored ?
Martin Richard
martin.richard at gmail.com
Wed Jun 23 14:19:24 UTC 2010
Hello,
I'm trying to setup PAM on RHEL 4 / pam-0.77-66.25 to use Radius auth via
pam_radius_auth (http://freeradius.org/pam_radius_auth/). By itself it works
fine, but I would like to setup a fallback option if and only if the radius
servers can't be reached.
The module supports returning PAM_IGNORE if that's the case, via the
"localifdown" option. So this means that I want a successful auth to quit
the pam auth stack, an auth failure to also quit the stack (if the radius
can be reached and refuses auth, it has authority, and I don't want to have
another prompt or even test a local password in that case) and IF the module
returns PAM_IGNORE, continue with the stack to try for local auth via
pam_unix. Thus I tried this in /etc/pam.d/sshd:
----8<-----/etc/pam.d/sshd-----------
auth required /lib/security/$ISA/pam_env.so
auth [success=done new_authtok_reqd=done ignore=ignore default=die]
pam_radius_auth.so localifdown debug
auth sufficient /lib/security/$ISA/pam_unix.so debug audit
likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
auth required pam_nologin.so
----8<----------------------------------------
The thing is, it doesn't work.. I'm looking for pointers about what I
could be doing wrong, since in tests it seems the rest of the stack is never
attempted if I force a failure in reaching the radius servers...
Is there a way for example to turn on debug info in PAM ? From the point
of view of the module I've verified and it should indeed be returning
PAM_IGNORE. If that's the case, it seems the line isn't really ignore by
PAM. The alternative is that something else is returned by pam_radius_auth
but I have no trace of it.
Any info welcome!
martin Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20100623/1b2f2e18/attachment.htm>
More information about the Pam-list
mailing list