On 2/23/22 15:04, Ole Holm Nielsen wrote:
On 2/23/22 14:58, Alan DeKok wrote:
On Feb 23, 2022, at 8:57 AM, Ole Holm Nielsen <Ole.H.Nielsen@fysik.dtu.dk> wrote:
I already tried "requisite" instead of "sufficient". Then I must also comment out the line:
auth substack password-auth
But users that fail RADIUS authentication continue to get the same 5 password questions that I'm trying to ge trid of :-(
That's controlled by PAM, not by anything we wrote.
Well, yes, and I know almost nothing about PAM :-( I was hoping that someone on this list would already have figured out the correct solution for pam_radius...
There is no solution specifically for pam_radius. Ask the PAM people how to configure their software.
Thanks, that makes sense. This is unfortunately an uphill battle...
For the record, the file /etc/pam.d/sshd actually is provided by the openssh-server-7.4p1-22.el7_9.x86_64 RPM. So maybe OpenSSH developers might have an idea.
For the OpenSSH server I believe I've found a solution: In /etc/ssh/sshd_config one may configure: PasswordAuthentication no in addition to: ChallengeResponseAuthentication yes Now I only get the RADIUS password prompts as desired. Of course, one needs to have root SSH access to the server by publickey in order not to get locked out :-) Thanks for pointing me in the right direction. Best regards, Ole