Authentication fallback rules
JCA
1.41421 at gmail.com
Wed May 6 20:02:29 UTC 2015
I have set up my PAM configuration so that when SSH connections are
received, the authentication will be carried out by a remote Radius
server. Here's the relevant fragment of my /etc/pam.d/sshd file:
auth sufficient pam_radius.so no_warn
This works fine - as long as the Radius server is reachable. What I
would like is for the system to use local authentication when the
Radius server is not reachable. To that effect, I changed the file as
follows:
auth sufficient pam_radius.so
no_warn localifdown
It did not work - if the Radius server is unreachable, the SSH won't
be able to authenticate anything. My next change consisted of having
the following two lines in /etc/pam.d/sshd:
auth sufficient pam_radius.so
no_warn localifdown
auth sufficient pam_unix.so no_warn
This does work - but it has the undesirable (for my purposes) drawback
of attempting local authentication also when an incorrect password is
typed in (not unexpectedly, come to think of it). Changing
'sufficient' to 'required' in the second line results in the same
behavior, and changing 'sufficient' to 'required' in the first line
just locks me out when the Radius server is down (also not
unexpectedly).
Any suggestions as to how to achieve this? That is, falling back on to
local authentication if, and only if, the Radius server is
unreachable.
More information about the Pam-list
mailing list