pam_radius module: How to reject authentication immediately when RADIUS fails?
Ole Holm Nielsen
Ole.H.Nielsen at fysik.dtu.dk
Wed Feb 23 13:57:04 UTC 2022
On 2/23/22 14:35, Alan DeKok wrote:
> On Feb 23, 2022, at 5:54 AM, Ole Holm Nielsen via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>>
>> I could not find this question as an FAQ or by google searches, so can anyone help?
>
> This is really a question for PAM. I find PAM rather opaque. It's very difficult to understand. And debugging? Debugging doesn't exist.
>
>> Question: If the user fails RADIUS authentication, how can we reject the SSH login immediately without proceeding to other authentication methods?
>
> IIRC you list pam_auth_radius as "requisite" instead of "sufficient": https://linux.die.net/man/5/pam.d
I already tried "requisite" instead of "sufficient". Then I must also
comment out the line:
auth substack password-auth
But users that fail RADIUS authentication continue to get the same 5
password questions that I'm trying to ge trid of :-(
>> Question: Does anyone have a method for /etc/pam.d/sshd which will skip the superfluous password questions and reject the user immediately if RADIUS fails?
>
> See the PAM documentation for how to configure PAM. This is relatively well documented, if difficult to understand.
Well, yes, and I know almost nothing about PAM :-( I was hoping that
someone on this list would already have figured out the correct solution
for pam_radius...
Best regards,
Ole
More information about the Freeradius-Users
mailing list