Нуждаюсь в помощи понимая директивы PAM
Строка
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
должен читать
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
так как пакет прибывает из порта 22 на Вашем сервере и переходит к случайному эфемерному порту на машине клиента, как уже указал Phil. Вы могли бы хотеть рассмотреть добавление -m state --state ESTABLISHED если Вы чувствуете дополнительного параноика.
Are you really sure it's skipping pam_unix.so?
sufficient is a "non-terminal" behavior on failure. Even if the pam_unix.so check fails, authentication will go on to attempt pam_radius_auth.so.
My interpretation is:
- The
uid eq 30027check will never return true. The test will only run if the uid is <499, making it impossible for the condition ofuid eq 30027to be true. pam_unix.sowould be attempted in all scenarios, and if it fails,pam_radius_auth.sowould be attempted.pam_google_authenticator.sowill be attempted if both of them fail.
Check your logs again. The radius logins may not be failing, but the pam_unix.so check probably is logging a failure. It just isn't preventing your logins.
This answer accurately covers the scope of the original question. Any additional questions that have been posed through updates or comments will not be covered.