pam_radius module: How to reject authentication immediately when RADIUS fails?
Ole Holm Nielsen
Ole.H.Nielsen at fysik.dtu.dk
Wed Feb 23 10:54:01 UTC 2022
I could not find this question as an FAQ or by google searches, so can
anyone help?
We have a CentOS 7 server setup where user SSH logins require RADIUS
authentication from our university's central RADIUS server. Local
password authentication must be prohibited. This is sort of working, yet
is not 100% satisfactory.
Question: If the user fails RADIUS authentication, how can we reject the
SSH login immediately without proceeding to other authentication methods?
Our setup: I have installed the pam_radius RPM package from EPEL and added
this line near the top of /etc/pam.d/sshd:
auth sufficient pam_radius_auth.so debug
While this works correctly when the user authenticates successfully with
the central RADIUS server, failed authentications just makes PAM proceed
to succeeding modules in /etc/pam.d/sshd (see below) which permit local
password logins. This is what we want to prohibit!
So I replaced the above line by a more strict rule:
auth [success=done default=die] pam_radius_auth.so debug
This sort of works: Failed authentications keep asking the user for a
password 5 times and eventually fails as desired:
Password:
Password:
Password:
<user at server>'s password:
Permission denied, please try again.
<user at server>'s password:
Received disconnect from <IP> port 22:2: Too many authentication failures
Authentication failed.
Question: Does anyone have a method for /etc/pam.d/sshd which will skip
the superfluous password questions and reject the user immediately if
RADIUS fails?
FYI, the /etc/pam.d/sshd file distributed by the EPEL RPM is:
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed
in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
Thanks,
Ole
--
Ole Holm Nielsen
PhD, Senior HPC Officer
Department of Physics, Technical University of Denmark
More information about the Freeradius-Users
mailing list