pam radius bypass same local user (exception user)

Question

Pam Radius login works with the following configuration. However, it would be necessary for some users to perform local authentication. How can I solve this?

[xxxxxxxxxxx ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth    [success=done default=bad authinfo_unavail=bad ignore=ignore]  pam_radius_auth.so localifdown

auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params >
session    required     pam_namespace.so >
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

score 0 · Answer 1 · edited Nov 01 '22 at 17:23

#%PAM-1.0
auth required   pam_radius_auth.so
#
#auth      required     pam_sepermit.so
#auth       substack     password-auth
#auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

pam radius bypass same local user (exception user)

1 Answers1