Using pam_radius in /etc/pam.d/sshd

[Chris Stankevitz]

Hello,

1. After I supply an incorrect radius password three time, I am not
afforded an opportunity to supply my pam_unix password.  Why am I not
afforded this opportunity? (pam.d/sshd below)

2. Is there a way to reduce the number of times a user can attempt to
login with pam_radius from 3 to 1?  'man pam_radius' suggests no
options that might accomplish this.  I wonder if there are 'secret'
options at a higher level to control this.

My goal: users can log in with pam_radius or pam_unix, whichever they
choose.  I figured I would accomplish this with the following
/etc/pam.d/sshd auth and by telling users "just press enter when
prompted for the radius pw, then you will be prompted for your
passwd":

auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      pam_radius.so
auth            required        pam_unix.so             no_warn try_first_pass


Thank you,

Chris