Penned by Stuart Henderson on 20090828 8:51.04, we have:
| On 2009-08-28, Ian Chard <ian.ch...@sers.ox.ac.uk> wrote:
| > On 27/08/09 13:44, Schvberle Daniel wrote:
| >>> Hi,
| >>>
| >>> I'm using OpenBSD 4.5-stable, and I'm trying to configure RADIUS
| >>> authentication. What I want is for the system to try the
| >>> RADIUS server,
| >>> and if it fails, fall back to the local password file. In
| >>> login.conf I have
| >>>
| >>> auth-defaults:auth=radius,passwd:radius-server=my.radius.server
| >>>
| >>> If the RADIUS server isn't there for whatever reason, the
| >>> system doesn't
| >>> fallback to password file authentication. The same happens
| >>> if I specify
| >>> the methods the other way round: the RADIUS server is never
| >>> tried even
| >>> if the password-file-based login fails.
| >>>
| >>> I need to make sure that I can always log in even if the
| >>> RADIUS server
| >>> has gone away. Is it possible to configure the system in this way?
| >>>
| >>> Thanks
| >>> - Ian
| >>
| >> Why not make a new login class for radius users and make yourself
| >> "backup" users in default class? Normally you'd login with users from
| >> the radius class and if that fails you'd use a user form the default class.
| >> Of course, that way you'd have to use different login names for the
| >> two classes.
| >
| > That's a good workaround, thanks. Do you know if it's a bug that this
| > doesn't work, or is it just not implemented? I assumed from the
| > manpages that being able to specify more than one style implies that
| > there's some kind of fallback mechanism.
| >
| > I just wanted to know whether it was worth filing a bug for this.
|
| I used to use authentication styles for skey; as login(1) says, "To specify
| the alternate authentication mechanism style, the string :style is appended
| to the user name (i.e., user:style)."
|
| So you shouldn't need a separate account, just login as "user:passwd".
| The existence of "krb5-or-pwd" suggests to me that there's probably no
| automatic fall-back but I haven't checked that.
There is indeed no automatic fallback. krb5-or-pwd makes it very clear
that if you want fallback, you must create an auth method that does what
you wish.
The ability for me to login as 'todd:passwd' is invaluable to me, as
even krb5-or-pwd sometimes has conditions where sshd default timeouts
are not long enough. Aka if no default route is set, and the kerberos
server is not on the local network, it times out quickly. Otherwise, if
the network is up but the kerberos server is not reachable, it takes
over 10min to fallback to passwd, during which time the 5min sshd
default timeout times the connection out. Especially my firewall but
lots of my systems have:
auth-defaults:auth=krb5-or-pwd,passwd:
Thanks,
--
Todd Fries .. t...@fries.net
_____________________________________________
| \ 1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \ 1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX)
| "..in support of free software solutions." \ sip:freedae...@ekiga.net
| \ sip:4052279...@ekiga.net
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A
http://todd.fries.net/pgp.txt
