On 2009-08-28, Ian Chard <[email protected]> wrote: > On 27/08/09 13:44, Schvberle Daniel wrote: >>> Hi, >>> >>> I'm using OpenBSD 4.5-stable, and I'm trying to configure RADIUS >>> authentication. What I want is for the system to try the >>> RADIUS server, >>> and if it fails, fall back to the local password file. In >>> login.conf I have >>> >>> auth-defaults:auth=radius,passwd:radius-server=my.radius.server >>> >>> If the RADIUS server isn't there for whatever reason, the >>> system doesn't >>> fallback to password file authentication. The same happens >>> if I specify >>> the methods the other way round: the RADIUS server is never >>> tried even >>> if the password-file-based login fails. >>> >>> I need to make sure that I can always log in even if the >>> RADIUS server >>> has gone away. Is it possible to configure the system in this way? >>> >>> Thanks >>> - Ian >> >> Why not make a new login class for radius users and make yourself >> "backup" users in default class? Normally you'd login with users from >> the radius class and if that fails you'd use a user form the default class. >> Of course, that way you'd have to use different login names for the >> two classes. > > That's a good workaround, thanks. Do you know if it's a bug that this > doesn't work, or is it just not implemented? I assumed from the > manpages that being able to specify more than one style implies that > there's some kind of fallback mechanism. > > I just wanted to know whether it was worth filing a bug for this.
I used to use authentication styles for skey; as login(1) says, "To specify the alternate authentication mechanism style, the string :style is appended to the user name (i.e., user:style)." So you shouldn't need a separate account, just login as "user:passwd". The existence of "krb5-or-pwd" suggests to me that there's probably no automatic fall-back but I haven't checked that.
