I could not find this question as an FAQ or by google searches, so can anyone help? We have a CentOS 7 server setup where user SSH logins require RADIUS authentication from our university's central RADIUS server. Local password authentication must be prohibited. This is sort of working, yet is not 100% satisfactory. Question: If the user fails RADIUS authentication, how can we reject the SSH login immediately without proceeding to other authentication methods? Our setup: I have installed the pam_radius RPM package from EPEL and added this line near the top of /etc/pam.d/sshd: auth sufficient pam_radius_auth.so debug While this works correctly when the user authenticates successfully with the central RADIUS server, failed authentications just makes PAM proceed to succeeding modules in /etc/pam.d/sshd (see below) which permit local password logins. This is what we want to prohibit! So I replaced the above line by a more strict rule: auth [success=done default=die] pam_radius_auth.so debug This sort of works: Failed authentications keep asking the user for a password 5 times and eventually fails as desired: Password: Password: Password: <user@server>'s password: Permission denied, please try again. <user@server>'s password: Received disconnect from <IP> port 22:2: Too many authentication failures Authentication failed. Question: Does anyone have a method for /etc/pam.d/sshd which will skip the superfluous password questions and reject the user immediately if RADIUS fails? FYI, the /etc/pam.d/sshd file distributed by the EPEL RPM is: #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare Thanks, Ole -- Ole Holm Nielsen PhD, Senior HPC Officer Department of Physics, Technical University of Denmark