Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 28 Apr 2015 12:05:55 -0700
From:      Chris Stankevitz <>
To:        freebsd-questions <>
Subject:   Using pam_radius in /etc/pam.d/sshd
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help

1. After I supply an incorrect radius password three time, I am not
afforded an opportunity to supply my pam_unix password.  Why am I not
afforded this opportunity? (pam.d/sshd below)

2. Is there a way to reduce the number of times a user can attempt to
login with pam_radius from 3 to 1?  'man pam_radius' suggests no
options that might accomplish this.  I wonder if there are 'secret'
options at a higher level to control this.

My goal: users can log in with pam_radius or pam_unix, whichever they
choose.  I figured I would accomplish this with the following
/etc/pam.d/sshd auth and by telling users "just press enter when
prompted for the radius pw, then you will be prompted for your

auth            sufficient             no_warn no_fake_prompts
auth            requisite       no_warn allow_local
auth            sufficient
auth            required             no_warn try_first_pass

Thank you,


Want to link to this message? Use this URL: <>