I am currently dissecting a single-sign-on RPM. Contained within the RPM there is the module pam_radius_auth.so. Based on the documentation here: http://freeradius.org/pam_radius_auth/ and here: http://freeradius.org/pam_radius_auth/INSTALL, the module is supposed to be referenced in /etc/pam.d/ after this line:
auth required /lib/security/pam_securetty.so
and before this line:
auth required /lib/security/pam_unix_auth.so
By default I see 4 files which contain pam_securetty.so, but none which reference pam_unix_auth.so. Based on the installation documentation provided below, I can't figure out if the module line requires that the pam_unix_auth line be added to the application files so both lines are present, or if it is simply stating that if one of the lines is present it needs to be provided before or after that line. The usage of the word AND is confusing me.
Here is the confusing bit of documentation:
********************************************************************** Redhat Linux > 5.0
make.
Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so
In the per-application configuration (/etc/pam.d/application) add:
auth sufficient /lib/security/pam_radius_auth.so
AFTER
auth required /lib/security/pam_securetty.so
and BEFORE
auth required /lib/security/pam_unix_auth.so
i.e.
auth required /lib/security/pam_securetty.so auth
sufficient /lib/security/pam_radius_auth.so auth required
/lib/security/pam_unix_auth.so
If anyone has configured this, could you let me know what your experience has been and what the correct interpretation is? Thanks!
Best Answer
I think that those instructions are out of date, and mention an older PAM configuration file format. The two configuration lines in question should look like this:
i.e.
pam_unix.soinstead ofpam_unix_auth.so, and no full paths to the modules (just the actual module filename).As an aside, it seems that the
pam_unixmodule used to be split into different modules for each purpose: