0

I am using CentOS 6.3 and want to enable ssh RADIUS authentication along with Centos system Authentication.

Right now my server is firstly authenticated with RADIUS server. And after system Authentication. I want the server to authenticate with unix credentials first and after that to do authentication via RADIUS.

I'm pretty sure about that I have set something inside the file /etc/pam.d/sshd, but I'm not sure what it is I should set.

The configuration I'm using now is:

auth       required   /lib64/security/pam_radius_auth.so
auth include  system-auth
account    required   /lib64/security/pam_stack.so service=system-auth
password   required   /lib64/security/pam_stack.so service=system-auth
session    required   /lib64/security/pam_stack.so service=system-auth

If I use above first RADIUS Authentication then CENTOS System Authentication. What I need is to change this to first CentOS System Authentication then RADIUS Authentication.

Andrew Domaszek
  • 5,163
  • 1
  • 15
  • 27
abdulshemeer
  • 1
  • 1

1 Answers1

0

In a pam config, the order matters. If authentication requires the user auth against both system and radius to be successful, move auth include system-auth above auth required /lib64/security/pam_radius_auth.so.

If not, grab all the auth lines from the system-auth file and copy them to this file. Change any lines you copied from required to sufficient and place them above pam_radius_auth.so. Comment out or remove the auth include system-auth line.

If pam encounters a sufficient line and it passes, it will log in skipping the remainder, but failure will not immediately abort the authentication process. If it failed, it will try the remaining lines in order.

Andrew Domaszek
  • 5,163
  • 1
  • 15
  • 27