pam_radius module: How to reject authentication immediately when RADIUS fails?
Ole Holm Nielsen
Ole.H.Nielsen at fysik.dtu.dk
Wed Feb 23 14:46:27 UTC 2022
On 2/23/22 15:04, Ole Holm Nielsen wrote:
> On 2/23/22 14:58, Alan DeKok wrote:
>> On Feb 23, 2022, at 8:57 AM, Ole Holm Nielsen
>> <Ole.H.Nielsen at fysik.dtu.dk> wrote:
>>>
>>> I already tried "requisite" instead of "sufficient". Then I must also
>>> comment out the line:
>>>
>>> auth substack password-auth
>>>
>>> But users that fail RADIUS authentication continue to get the same 5
>>> password questions that I'm trying to ge trid of :-(
>>
>> That's controlled by PAM, not by anything we wrote.
>>
>>> Well, yes, and I know almost nothing about PAM :-( I was hoping that
>>> someone on this list would already have figured out the correct
>>> solution for pam_radius...
>>
>> There is no solution specifically for pam_radius. Ask the PAM people
>> how to configure their software.
>
> Thanks, that makes sense. This is unfortunately an uphill battle...
>
> For the record, the file /etc/pam.d/sshd actually is provided by the
> openssh-server-7.4p1-22.el7_9.x86_64 RPM. So maybe OpenSSH developers
> might have an idea.
For the OpenSSH server I believe I've found a solution: In
/etc/ssh/sshd_config one may configure:
PasswordAuthentication no
in addition to:
ChallengeResponseAuthentication yes
Now I only get the RADIUS password prompts as desired. Of course, one
needs to have root SSH access to the server by publickey in order not to
get locked out :-)
Thanks for pointing me in the right direction.
Best regards,
Ole
More information about the Freeradius-Users
mailing list