I tested on Solaris 8 and it works as intended when I modified the code to
use PAM_IGNORE. Will test Solaris 7 but expect same result.
What is interesting on Linux (rh7.2), when you modify the code to use
PAM_IGNORE, if RADIUS does not respond, it allows you in with ANY
password, even when pam_unix fails...
This was my linux /etc/pam.d/sshd config:
auth required /lib/security/pam_securetty.so
#auth required/lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
authrequired /lib/security/pam_radius_auth.so debug
authoptional /lib/security/pam_unix_auth.so debug
And a log snippet:
Feb 13 13:04:46 desktop sshd[25994]: pam_radius_auth: All RADIUS servers
failed
to respond, moving to next module.
Feb 13 13:04:46 desktop sshd[25994]: pam_radius_auth: authentication
failed
Feb 13 13:04:46 desktop sshd(pam_unix)[25994]: authentication failure;
logname=
uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=red
Feb 13 13:04:46 desktop sshd[25994]: Accepted password for hidden_user
from x.x.x.x port 1471 ssh2
On Wed, 12 Feb 2003, Frank Cusack wrote:
> On Tue, Feb 11, 2003 at 03:30:09PM -0500, JR Mayberry wrote:
> >
> > I'd like to have radius auth be "required" unless radius is down... I've
> > been reading and apparently this can be done with PAM_IGNORE. At least on
> > Solaris I've read that PAM_IGNORE will ignore regardless of required,
> > sufficient, optional, etc...
>
> I don't think PAM_IGNORE is portable; on Linux it's documented to only
> work for 'account' modules.
>
> > I'm testing on redhat 7.2, but would implement on rh7.0/7.2, solaris 7/8.
>
> Try solaris. Please report back your findings.
>
> /fc
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html