Hi, Please take a look at https://github.com/FreeRADIUS/pam_radius/blob/master/redhat/pam_sshd_example <https://github.com/FreeRADIUS/pam_radius/blob/master/redhat/pam_sshd_example> and let us know if it fix your problem. i.e: Make sure to first create a backup of your current /etc/pam.d/sshd — Jorge Pereira
On 23 Feb 2022, at 07:54, Ole Holm Nielsen via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I could not find this question as an FAQ or by google searches, so can anyone help?
We have a CentOS 7 server setup where user SSH logins require RADIUS authentication from our university's central RADIUS server. Local password authentication must be prohibited. This is sort of working, yet is not 100% satisfactory.
Question: If the user fails RADIUS authentication, how can we reject the SSH login immediately without proceeding to other authentication methods?
Our setup: I have installed the pam_radius RPM package from EPEL and added this line near the top of /etc/pam.d/sshd:
auth sufficient pam_radius_auth.so debug
While this works correctly when the user authenticates successfully with the central RADIUS server, failed authentications just makes PAM proceed to succeeding modules in /etc/pam.d/sshd (see below) which permit local password logins. This is what we want to prohibit!
So I replaced the above line by a more strict rule:
auth [success=done default=die] pam_radius_auth.so debug
This sort of works: Failed authentications keep asking the user for a password 5 times and eventually fails as desired:
Password: Password: Password: <user@server>'s password: Permission denied, please try again. <user@server>'s password: Received disconnect from <IP> port 22:2: Too many authentication failures Authentication failed.
Question: Does anyone have a method for /etc/pam.d/sshd which will skip the superfluous password questions and reject the user immediately if RADIUS fails?
FYI, the /etc/pam.d/sshd file distributed by the EPEL RPM is:
#%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare
Thanks, Ole
-- Ole Holm Nielsen PhD, Senior HPC Officer Department of Physics, Technical University of Denmark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jorge Pereira jpereira@networkradius.com