[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Authentication fallback rules



I have set up my PAM configuration so that when SSH connections are
received, the authentication will be carried out by a remote Radius
server. Here's the relevant fragment of my /etc/pam.d/sshd file:

       auth            sufficient        pam_radius.so           no_warn

This works fine - as long as the Radius server is reachable. What I
would like is for the system to use local authentication when the
Radius server is not reachable. To that effect, I changed the file as
follows:

       auth            sufficient        pam_radius.so
no_warn localifdown

It did not work - if the Radius server is unreachable, the SSH won't
be able to authenticate anything. My next change consisted of having
the following two lines in /etc/pam.d/sshd:

       auth            sufficient        pam_radius.so
no_warn localifdown
       auth            sufficient        pam_unix.so               no_warn

This does work - but it has the undesirable (for my purposes) drawback
of attempting local authentication also when an incorrect password is
typed in (not unexpectedly, come to think of it). Changing
'sufficient' to 'required' in the second line results in the same
behavior, and changing 'sufficient' to 'required' in the first line
just locks me out when the Radius server is down (also not
unexpectedly).

Any suggestions as to how to achieve this? That is, falling back on to
local authentication if, and only if, the Radius server is
unreachable.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]