On 2/23/22 14:35, Alan DeKok wrote:
On Feb 23, 2022, at 5:54 AM, Ole Holm Nielsen via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I could not find this question as an FAQ or by google searches, so can anyone help?
This is really a question for PAM. I find PAM rather opaque. It's very difficult to understand. And debugging? Debugging doesn't exist.
Question: If the user fails RADIUS authentication, how can we reject the SSH login immediately without proceeding to other authentication methods?
IIRC you list pam_auth_radius as "requisite" instead of "sufficient": https://linux.die.net/man/5/pam.d
I already tried "requisite" instead of "sufficient". Then I must also comment out the line: auth substack password-auth But users that fail RADIUS authentication continue to get the same 5 password questions that I'm trying to ge trid of :-(
Question: Does anyone have a method for /etc/pam.d/sshd which will skip the superfluous password questions and reject the user immediately if RADIUS fails?
See the PAM documentation for how to configure PAM. This is relatively well documented, if difficult to understand.
Well, yes, and I know almost nothing about PAM :-( I was hoping that someone on this list would already have figured out the correct solution for pam_radius... Best regards, Ole