To help others (like us) who hit this issue... R. Marc posted: > Yeah, figured that; just trying to figure out why. > and yes, it's sshd: > > # strings /usr/sbin/sshd | grep INC > INCORRECT > > > As a suggestion, if there are 5-6 pieces of software involved in > > authentication, don't immediately jump to blaming the PAM radius module. > > Not blaming, just trying to solve a problem.
In our case, sshd_config had an "AllowUsers <blah>" directive to allow only one specific user to login via SSH. For a different username, that directive causes the otherwise correct password to be changed to the value "INCORRECT". That is then passed on to the PAM module and pam_auth_radius sends that INCORRECT password to the RADIUS server, which appropriately denies access. Removing the AllowUsers line allowed ssh logins to succeed in the appropriate cases. If you make the same change, but wish to block some users (e.g., root) from ssh login, be sure to verify that behavior. In our case no further changes were needed. Alan Carwile -- View this message in context: http://freeradius.1045715.n5.nabble.com/pam-auth-radius-tp3388722p4400923.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html