Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 28 Apr 2015 12:05:55 -0700
From:      Chris Stankevitz <chrisstankevitz@gmail.com>
To:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Using pam_radius in /etc/pam.d/sshd
Message-ID:  <CAPi0psuR6P9HrE-nK79hvwrAng6=u+5H8N3_XhHDiSu4bMqfWQ@mail.gmail.com>

Next in thread | Raw E-Mail | Index | Archive | Help
Hello,

1. After I supply an incorrect radius password three time, I am not
afforded an opportunity to supply my pam_unix password.  Why am I not
afforded this opportunity? (pam.d/sshd below)

2. Is there a way to reduce the number of times a user can attempt to
login with pam_radius from 3 to 1?  'man pam_radius' suggests no
options that might accomplish this.  I wonder if there are 'secret'
options at a higher level to control this.

My goal: users can log in with pam_radius or pam_unix, whichever they
choose.  I figured I would accomplish this with the following
/etc/pam.d/sshd auth and by telling users "just press enter when
prompted for the radius pw, then you will be prompted for your
passwd":

auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      pam_radius.so
auth            required        pam_unix.so             no_warn try_first_pass


Thank you,

Chris



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CAPi0psuR6P9HrE-nK79hvwrAng6=u+5H8N3_XhHDiSu4bMqfWQ>