pam_radius module: How to reject authentication immediately when RADIUS fails?

Ole Holm Nielsen Ole.H.Nielsen at fysik.dtu.dk
Wed Feb 23 10:54:01 UTC 2022 

I could not find this question as an FAQ or by google searches, so can 
anyone help?

We have a CentOS 7 server setup where user SSH logins require RADIUS 
authentication from our university's central RADIUS server.  Local 
password authentication must be prohibited.  This is sort of working, yet 
is not 100% satisfactory.

Question: If the user fails RADIUS authentication, how can we reject the 
SSH login immediately without proceeding to other authentication methods?

Our setup: I have installed the pam_radius RPM package from EPEL and added 
this line near the top of /etc/pam.d/sshd:

auth sufficient pam_radius_auth.so debug

While this works correctly when the user authenticates successfully with 
the central RADIUS server, failed authentications just makes PAM proceed 
to succeeding modules in /etc/pam.d/sshd (see below) which permit local 
password logins.  This is what we want to prohibit!

So I replaced the above line by a more strict rule:

auth [success=done default=die] pam_radius_auth.so debug

This sort of works: Failed authentications keep asking the user for a 
password 5 times and eventually fails as desired:

Password:
Password:
Password:
<user at server>'s password:
Permission denied, please try again.
<user at server>'s password:
Received disconnect from <IP> port 22:2: Too many authentication failures
Authentication failed.

Question: Does anyone have a method for /etc/pam.d/sshd which will skip 
the superfluous password questions and reject the user immediately if 
RADIUS fails?

FYI, the /etc/pam.d/sshd file distributed by the EPEL RPM is:

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed 
in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare


Thanks,
Ole

-- 
Ole Holm Nielsen
PhD, Senior HPC Officer
Department of Physics, Technical University of Denmark

More information about the Freeradius-Users mailing list