pam_radius module: How to reject authentication immediately when RADIUS fails?
Ole Holm Nielsen
Ole.H.Nielsen at fysik.dtu.dk
Wed Feb 23 14:04:36 UTC 2022
On 2/23/22 14:58, Alan DeKok wrote:
> On Feb 23, 2022, at 8:57 AM, Ole Holm Nielsen <Ole.H.Nielsen at fysik.dtu.dk> wrote:
>>
>> I already tried "requisite" instead of "sufficient". Then I must also comment out the line:
>>
>> auth substack password-auth
>>
>> But users that fail RADIUS authentication continue to get the same 5 password questions that I'm trying to ge trid of :-(
>
> That's controlled by PAM, not by anything we wrote.
>
>> Well, yes, and I know almost nothing about PAM :-( I was hoping that someone on this list would already have figured out the correct solution for pam_radius...
>
> There is no solution specifically for pam_radius. Ask the PAM people how to configure their software.
Thanks, that makes sense. This is unfortunately an uphill battle...
For the record, the file /etc/pam.d/sshd actually is provided by the
openssh-server-7.4p1-22.el7_9.x86_64 RPM. So maybe OpenSSH developers
might have an idea.
Best regards,
Ole
More information about the Freeradius-Users
mailing list