Need help understanding PAM directives

redhat ldap google-authenticator pam freeradius

Are you really sure it's skipping pam_unix.so?

sufficient is a "non-terminal" behavior on failure. Even if the pam_unix.so check fails, authentication will go on to attempt pam_radius_auth.so.

My interpretation is:

  • The uid eq 30027 check will never return true. The test will only run if the uid is <499, making it impossible for the condition of uid eq 30027 to be true.
  • pam_unix.so would be attempted in all scenarios, and if it fails, pam_radius_auth.so would be attempted.
  • pam_google_authenticator.so will be attempted if both of them fail.

Check your logs again. The radius logins may not be failing, but the pam_unix.so check probably is logging a failure. It just isn't preventing your logins.

This answer accurately covers the scope of the original question. Any additional questions that have been posed through updates or comments will not be covered.

Related

Unable to set password in IIS 8 for Domain User as ApplicationPool Identity
Simultaneous IKEv1 and IKEv2 connection support in Strongswan
inconsistency between du -sh and df -h
LACP with 2 NICs working when either one is down, not when both are up
AWS Linux EC2: yum won't run with plugins
How does folder redirection remember the previous location of a folder?
Reinserted a RAID disk. Defined as foreign. Is import or clear the correct choice?
Remove MySQL ibdata1 without dumping and restoring existing proper databases
/usr/bin/host being used in HTTP DDoS on Debian? [duplicate]
CentOS Tuned Equivalent For Debian
Using FreeIPA for centralized sudo - using SSSD for sudoers
Using dd on disks with different sector sizes