I tested on Solaris 8 and it works as intended when I modified the code to use PAM_IGNORE. Will test Solaris 7 but expect same result.
What is interesting on Linux (rh7.2), when you modify the code to use PAM_IGNORE, if RADIUS does not respond, it allows you in with ANY password, even when pam_unix fails... This was my linux /etc/pam.d/sshd config: auth required /lib/security/pam_securetty.so #auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so auth required /lib/security/pam_radius_auth.so debug auth optional /lib/security/pam_unix_auth.so debug And a log snippet: Feb 13 13:04:46 desktop sshd[25994]: pam_radius_auth: All RADIUS servers failed to respond, moving to next module. Feb 13 13:04:46 desktop sshd[25994]: pam_radius_auth: authentication failed Feb 13 13:04:46 desktop sshd(pam_unix)[25994]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=red Feb 13 13:04:46 desktop sshd[25994]: Accepted password for hidden_user from x.x.x.x port 1471 ssh2 On Wed, 12 Feb 2003, Frank Cusack wrote: > On Tue, Feb 11, 2003 at 03:30:09PM -0500, JR Mayberry wrote: > > > > I'd like to have radius auth be "required" unless radius is down... I've > > been reading and apparently this can be done with PAM_IGNORE. At least on > > Solaris I've read that PAM_IGNORE will ignore regardless of required, > > sufficient, optional, etc... > > I don't think PAM_IGNORE is portable; on Linux it's documented to only > work for 'account' modules. > > > I'm testing on redhat 7.2, but would implement on rh7.0/7.2, solaris 7/8. > > Try solaris. Please report back your findings. > > /fc > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
