From owner-freebsd-questions@FreeBSD.ORG  Tue Apr 28 19:05:58 2015
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 1018F751
 for <freebsd-questions@freebsd.org>; Tue, 28 Apr 2015 19:05:58 +0000 (UTC)
Received: from mail-lb0-x22f.google.com (mail-lb0-x22f.google.com
 [IPv6:2a00:1450:4010:c04::22f])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 975E11924
 for <freebsd-questions@freebsd.org>; Tue, 28 Apr 2015 19:05:57 +0000 (UTC)
Received: by lbbzk7 with SMTP id zk7so3552308lbb.0
 for <freebsd-questions@freebsd.org>; Tue, 28 Apr 2015 12:05:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:date:message-id:subject:from:to:content-type;
 bh=hqoH2EG2G0DqADr3hznJy9gCRRC/L4Mny3W0P/kQraU=;
 b=xVFPNo8IUgjsvbXe9KWJbh7QGCUen5xO713597qhBZTvtXnDxKTMoT/Ze5lJG3tNJa
 G5zQBDlruRmGD3jULyqjO0mtvmna7bapp/RnmEW5qacwnXUC/23yjEAwptvdE5QQcu8G
 FWjEvQHRD+ZThAmOTYcfRK9ZY0lZU54EwzuUIATAhqUPjaXYeGSsrCuBAnz5O0tBOCck
 Fz4vYvMcH/t2eEdyGXE2hK93/KizUF9pfaxntZog3in9eG9I1bxaNpS/iQ+bFyR0BlsQ
 u9oy8YBOKqRpmRoGvoRtTtB1tuXxY8l3zvy8t834lAZKvb17uhlqbNyYReZYXoqtwmkt
 E0vg==
MIME-Version: 1.0
X-Received: by 10.152.206.75 with SMTP id lm11mr15533347lac.41.1430247955763; 
 Tue, 28 Apr 2015 12:05:55 -0700 (PDT)
Received: by 10.25.42.146 with HTTP; Tue, 28 Apr 2015 12:05:55 -0700 (PDT)
Date: Tue, 28 Apr 2015 12:05:55 -0700
Message-ID: <CAPi0psuR6P9HrE-nK79hvwrAng6=u+5H8N3_XhHDiSu4bMqfWQ@mail.gmail.com>
Subject: Using pam_radius in /etc/pam.d/sshd
From: Chris Stankevitz <chrisstankevitz@gmail.com>
To: freebsd-questions <freebsd-questions@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2015 19:05:58 -0000

Hello,

1. After I supply an incorrect radius password three time, I am not
afforded an opportunity to supply my pam_unix password.  Why am I not
afforded this opportunity? (pam.d/sshd below)

2. Is there a way to reduce the number of times a user can attempt to
login with pam_radius from 3 to 1?  'man pam_radius' suggests no
options that might accomplish this.  I wonder if there are 'secret'
options at a higher level to control this.

My goal: users can log in with pam_radius or pam_unix, whichever they
choose.  I figured I would accomplish this with the following
/etc/pam.d/sshd auth and by telling users "just press enter when
prompted for the radius pw, then you will be prompted for your
passwd":

auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      pam_radius.so
auth            required        pam_unix.so             no_warn try_first_pass


Thank you,

Chris