Using pam_radius in /etc/pam.d/sshd

Chris Stankevitz chrisstankevitz at
Tue Apr 28 19:05:58 UTC 2015


1. After I supply an incorrect radius password three time, I am not
afforded an opportunity to supply my pam_unix password.  Why am I not
afforded this opportunity? (pam.d/sshd below)

2. Is there a way to reduce the number of times a user can attempt to
login with pam_radius from 3 to 1?  'man pam_radius' suggests no
options that might accomplish this.  I wonder if there are 'secret'
options at a higher level to control this.

My goal: users can log in with pam_radius or pam_unix, whichever they
choose.  I figured I would accomplish this with the following
/etc/pam.d/sshd auth and by telling users "just press enter when
prompted for the radius pw, then you will be prompted for your

auth            sufficient             no_warn no_fake_prompts
auth            requisite       no_warn allow_local
auth            sufficient
auth            required             no_warn try_first_pass

Thank you,


More information about the freebsd-questions mailing list