SSH fallback to local account if Radius server isn't available

Question

I've edited my /etc/pam.d/sshd for Radius authentication; I added this line:

auth required pam_radius_auth.so

Also, I've commented out the line:

@include common-auth

Now SSH authentication using Radius is OK if the Radius server is UP but if the radius server is down, there's no fallback to use the local linux accounts.

Any suggestions on where to edit the file to allow me fallback to my local linux account when my Radius server fails?

Answer 1

Enable common-auth (includes pam_unix.so), and change "required" to "sufficient".

auth    sufficient      pam_radius_auth.so
@include common-auth

(2016/05/03 JST) settings for "fallback"

auth    [success=done default=bad authinfo_unavail=bad ignore=ignore]  pam_radius_auth.so localifdown
@include common-auth

Results of pam_radius_auth in the following respective cases:

                       | correct password (in Radius)         | wrong (or UNIX) password
-----------------------+--------------------------------------+-------------------------
Radius Server is alive | PAM_SUCCESS                          | PAM_AUTHINFO_UNAVAIL
-----------------------+--------------------------------------+-------------------------
Radius Server is dead  |             PAM_IGNORE (with localifdown option)
-----------------------+--------------------------------------+-------------------------

As a result:

PAM_SUCCESS          => done (Login success)
PAM_AUTHINFO_UNAVAIL => bad (Login failure)
PAM_IGNORE           => ignore (continue to "common-auth")

There is a note. If the time-out value in pam_radius_auth.conf is too small, it will determine "Radius Server is dead", before receiving the "Access Reject" from the Radius Server.