pam_radius module: How to reject authentication immediately when RADIUS fails?
I could not find this question as an FAQ or by google searches, so can anyone help? We have a CentOS 7 server setup where user SSH logins require RADIUS authentication from our university's central RADIUS server. Local password authentication must be prohibited. This is sort of working, yet is not 100% satisfactory. Question: If the user fails RADIUS authentication, how can we reject the SSH login immediately without proceeding to other authentication methods? Our setup: I have installed the pam_radius RPM package from EPEL and added this line near the top of /etc/pam.d/sshd: auth sufficient pam_radius_auth.so debug While this works correctly when the user authenticates successfully with the central RADIUS server, failed authentications just makes PAM proceed to succeeding modules in /etc/pam.d/sshd (see below) which permit local password logins. This is what we want to prohibit! So I replaced the above line by a more strict rule: auth [success=done default=die] pam_radius_auth.so debug This sort of works: Failed authentications keep asking the user for a password 5 times and eventually fails as desired: Password: Password: Password: <user@server>'s password: Permission denied, please try again. <user@server>'s password: Received disconnect from <IP> port 22:2: Too many authentication failures Authentication failed. Question: Does anyone have a method for /etc/pam.d/sshd which will skip the superfluous password questions and reject the user immediately if RADIUS fails? FYI, the /etc/pam.d/sshd file distributed by the EPEL RPM is: #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare Thanks, Ole -- Ole Holm Nielsen PhD, Senior HPC Officer Department of Physics, Technical University of Denmark
On Feb 23, 2022, at 5:54 AM, Ole Holm Nielsen via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I could not find this question as an FAQ or by google searches, so can anyone help?
This is really a question for PAM. I find PAM rather opaque. It's very difficult to understand. And debugging? Debugging doesn't exist.
Question: If the user fails RADIUS authentication, how can we reject the SSH login immediately without proceeding to other authentication methods?
IIRC you list pam_auth_radius as "requisite" instead of "sufficient": https://linux.die.net/man/5/pam.d
Question: Does anyone have a method for /etc/pam.d/sshd which will skip the superfluous password questions and reject the user immediately if RADIUS fails?
See the PAM documentation for how to configure PAM. This is relatively well documented, if difficult to understand. Alan DeKok.
On 2/23/22 14:35, Alan DeKok wrote:
On Feb 23, 2022, at 5:54 AM, Ole Holm Nielsen via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I could not find this question as an FAQ or by google searches, so can anyone help?
This is really a question for PAM. I find PAM rather opaque. It's very difficult to understand. And debugging? Debugging doesn't exist.
Question: If the user fails RADIUS authentication, how can we reject the SSH login immediately without proceeding to other authentication methods?
IIRC you list pam_auth_radius as "requisite" instead of "sufficient": https://linux.die.net/man/5/pam.d
I already tried "requisite" instead of "sufficient". Then I must also comment out the line: auth substack password-auth But users that fail RADIUS authentication continue to get the same 5 password questions that I'm trying to ge trid of :-(
Question: Does anyone have a method for /etc/pam.d/sshd which will skip the superfluous password questions and reject the user immediately if RADIUS fails?
See the PAM documentation for how to configure PAM. This is relatively well documented, if difficult to understand.
Well, yes, and I know almost nothing about PAM :-( I was hoping that someone on this list would already have figured out the correct solution for pam_radius... Best regards, Ole
On Feb 23, 2022, at 8:57 AM, Ole Holm Nielsen <Ole.H.Nielsen@fysik.dtu.dk> wrote:
I already tried "requisite" instead of "sufficient". Then I must also comment out the line:
auth substack password-auth
But users that fail RADIUS authentication continue to get the same 5 password questions that I'm trying to ge trid of :-(
That's controlled by PAM, not by anything we wrote.
Well, yes, and I know almost nothing about PAM :-( I was hoping that someone on this list would already have figured out the correct solution for pam_radius...
There is no solution specifically for pam_radius. Ask the PAM people how to configure their software. Alan DeKok.
On 2/23/22 14:58, Alan DeKok wrote:
On Feb 23, 2022, at 8:57 AM, Ole Holm Nielsen <Ole.H.Nielsen@fysik.dtu.dk> wrote:
I already tried "requisite" instead of "sufficient". Then I must also comment out the line:
auth substack password-auth
But users that fail RADIUS authentication continue to get the same 5 password questions that I'm trying to ge trid of :-(
That's controlled by PAM, not by anything we wrote.
Well, yes, and I know almost nothing about PAM :-( I was hoping that someone on this list would already have figured out the correct solution for pam_radius...
There is no solution specifically for pam_radius. Ask the PAM people how to configure their software.
Thanks, that makes sense. This is unfortunately an uphill battle... For the record, the file /etc/pam.d/sshd actually is provided by the openssh-server-7.4p1-22.el7_9.x86_64 RPM. So maybe OpenSSH developers might have an idea. Best regards, Ole
On 2/23/22 15:04, Ole Holm Nielsen wrote:
On 2/23/22 14:58, Alan DeKok wrote:
On Feb 23, 2022, at 8:57 AM, Ole Holm Nielsen <Ole.H.Nielsen@fysik.dtu.dk> wrote:
I already tried "requisite" instead of "sufficient". Then I must also comment out the line:
auth substack password-auth
But users that fail RADIUS authentication continue to get the same 5 password questions that I'm trying to ge trid of :-(
That's controlled by PAM, not by anything we wrote.
Well, yes, and I know almost nothing about PAM :-( I was hoping that someone on this list would already have figured out the correct solution for pam_radius...
There is no solution specifically for pam_radius. Ask the PAM people how to configure their software.
Thanks, that makes sense. This is unfortunately an uphill battle...
For the record, the file /etc/pam.d/sshd actually is provided by the openssh-server-7.4p1-22.el7_9.x86_64 RPM. So maybe OpenSSH developers might have an idea.
For the OpenSSH server I believe I've found a solution: In /etc/ssh/sshd_config one may configure: PasswordAuthentication no in addition to: ChallengeResponseAuthentication yes Now I only get the RADIUS password prompts as desired. Of course, one needs to have root SSH access to the server by publickey in order not to get locked out :-) Thanks for pointing me in the right direction. Best regards, Ole
Hi, Please take a look at https://github.com/FreeRADIUS/pam_radius/blob/master/redhat/pam_sshd_example <https://github.com/FreeRADIUS/pam_radius/blob/master/redhat/pam_sshd_example> and let us know if it fix your problem. i.e: Make sure to first create a backup of your current /etc/pam.d/sshd — Jorge Pereira
On 23 Feb 2022, at 07:54, Ole Holm Nielsen via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I could not find this question as an FAQ or by google searches, so can anyone help?
We have a CentOS 7 server setup where user SSH logins require RADIUS authentication from our university's central RADIUS server. Local password authentication must be prohibited. This is sort of working, yet is not 100% satisfactory.
Question: If the user fails RADIUS authentication, how can we reject the SSH login immediately without proceeding to other authentication methods?
Our setup: I have installed the pam_radius RPM package from EPEL and added this line near the top of /etc/pam.d/sshd:
auth sufficient pam_radius_auth.so debug
While this works correctly when the user authenticates successfully with the central RADIUS server, failed authentications just makes PAM proceed to succeeding modules in /etc/pam.d/sshd (see below) which permit local password logins. This is what we want to prohibit!
So I replaced the above line by a more strict rule:
auth [success=done default=die] pam_radius_auth.so debug
This sort of works: Failed authentications keep asking the user for a password 5 times and eventually fails as desired:
Password: Password: Password: <user@server>'s password: Permission denied, please try again. <user@server>'s password: Received disconnect from <IP> port 22:2: Too many authentication failures Authentication failed.
Question: Does anyone have a method for /etc/pam.d/sshd which will skip the superfluous password questions and reject the user immediately if RADIUS fails?
FYI, the /etc/pam.d/sshd file distributed by the EPEL RPM is:
#%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare
Thanks, Ole
-- Ole Holm Nielsen PhD, Senior HPC Officer Department of Physics, Technical University of Denmark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jorge Pereira jpereira@networkradius.com
On 23-02-2022 18:28, Jorge Pereira wrote:
Please take a look at https://github.com/FreeRADIUS/pam_radius/blob/master/redhat/pam_sshd_example <https://github.com/FreeRADIUS/pam_radius/blob/master/redhat/pam_sshd_example> and let us know if it fix your problem.
i.e: Make sure to first create a backup of your current /etc/pam.d/sshd
No, that is just some generic pam_radius example. It does not at all address the question which I sent to this list. /Ole
participants (3)
-
Alan DeKok -
Jorge Pereira -
Ole Holm Nielsen