Eu consegui resolver esse problema sozinho.
Aparentemente, a única coisa que mudou foi a ordem dos módulos pam em /etc/pam.d/sshd
.
A linha auth sufficient pam_radius_auth.so
tem que estar abaixo de pam_sepermit.so
e acima de password-auth
.
Na verdade, a ordem dos módulos em /etc/pam.d/login
também não foi correta.
A linha auth sufficient pam_radius_auth.so
deve estar abaixo de pam_securetty.so
e acima de system-auth
.
Então, é assim que os arquivos parecem agora:
/etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth sufficient pam_radius_auth.so
auth substack system-auth
auth include postlogin
# auth sufficient pam_radius_auth.so
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
/etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth sufficient pam_radius_auth.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare