Строка
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
должен читать
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
так как пакет прибывает из порта 22 на Вашем сервере и переходит к случайному эфемерному порту на машине клиента, как уже указал Phil. Вы могли бы хотеть рассмотреть добавление -m state --state ESTABLISHED
если Вы чувствуете дополнительного параноика.
Are you really sure it's skipping pam_unix.so
?
sufficient
is a "non-terminal" behavior on failure. Even if the pam_unix.so check fails, authentication will go on to attempt pam_radius_auth.so.
My interpretation is:
uid eq 30027
check will never return true. The test will only run if the uid is <499, making it impossible for the condition of uid eq 30027
to be true.pam_unix.so
would be attempted in all scenarios, and if it fails, pam_radius_auth.so
would be attempted.pam_google_authenticator.so
will be attempted if both of them fail.Check your logs again. The radius logins may not be failing, but the pam_unix.so
check probably is logging a failure. It just isn't preventing your logins.
This answer accurately covers the scope of the original question. Any additional questions that have been posed through updates or comments will not be covered.