Hi, I am trying to configure ssh/pam to use freeradius as one of the authentication sources on a C6 box. I have freeradius running on a separate box with 2 factor authentication. Using the radtest utility, I can successfully authenticate. My problem is that I do not understand how to configure pam to use radius as an auth source and be sure I am not opening a security hole in my systems. While googling, I have found several howto's that talk about how to do this using the pam_radius utility but the examples do not match what is found in /etc/pam.d/sshd. What I would like to accomplish is the following: 1. Allow logins using ssh keys. 2. If that fails, Allow login via radius. 3. if not on the local network disallow login via a regular user name and passwd. I think 3 might be able to be accomplished via a match statement in sshd.conf but I am not sure. Does anyone know how to do this in a secure way? If I start modifying the pam.d configuration files, how can I be sure I am not opening up a security hole? Regards, -- Tom me at tdiehl.org Spamtrap address me123 at tdiehl.org