pam_radius module: How to reject authentication immediately when RADIUS fails?

Jorge Pereira jpereira at freeradius.org
Wed Feb 23 17:28:56 UTC 2022 

Hi,

Please take a look at https://github.com/FreeRADIUS/pam_radius/blob/master/redhat/pam_sshd_example <https://github.com/FreeRADIUS/pam_radius/blob/master/redhat/pam_sshd_example> and let us know if it fix your problem.

i.e: Make sure to first create a backup of your current /etc/pam.d/sshd

—
Jorge Pereira

> On 23 Feb 2022, at 07:54, Ole Holm Nielsen via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> I could not find this question as an FAQ or by google searches, so can anyone help?
> 
> We have a CentOS 7 server setup where user SSH logins require RADIUS authentication from our university's central RADIUS server.  Local password authentication must be prohibited.  This is sort of working, yet is not 100% satisfactory.
> 
> Question: If the user fails RADIUS authentication, how can we reject the SSH login immediately without proceeding to other authentication methods?
> 
> Our setup: I have installed the pam_radius RPM package from EPEL and added this line near the top of /etc/pam.d/sshd:
> 
> auth sufficient pam_radius_auth.so debug
> 
> While this works correctly when the user authenticates successfully with the central RADIUS server, failed authentications just makes PAM proceed to succeeding modules in /etc/pam.d/sshd (see below) which permit local password logins.  This is what we want to prohibit!
> 
> So I replaced the above line by a more strict rule:
> 
> auth [success=done default=die] pam_radius_auth.so debug
> 
> This sort of works: Failed authentications keep asking the user for a password 5 times and eventually fails as desired:
> 
> Password:
> Password:
> Password:
> <user at server>'s password:
> Permission denied, please try again.
> <user at server>'s password:
> Received disconnect from <IP> port 22:2: Too many authentication failures
> Authentication failed.
> 
> Question: Does anyone have a method for /etc/pam.d/sshd which will skip the superfluous password questions and reject the user immediately if RADIUS fails?
> 
> FYI, the /etc/pam.d/sshd file distributed by the EPEL RPM is:
> 
> #%PAM-1.0
> auth       required     pam_sepermit.so
> auth       substack     password-auth
> auth       include      postlogin
> # Used with polkit to reauthorize users in remote sessions
> -auth      optional     pam_reauthorize.so prepare
> account    required     pam_nologin.so
> account    include      password-auth
> password   include      password-auth
> # pam_selinux.so close should be the first session rule
> session    required     pam_selinux.so close
> session    required     pam_loginuid.so
> # pam_selinux.so open should only be followed by sessions to be executed in the user context
> session    required     pam_selinux.so open env_params
> session    required     pam_namespace.so
> session    optional     pam_keyinit.so force revoke
> session    include      password-auth
> session    include      postlogin
> # Used with polkit to reauthorize users in remote sessions
> -session   optional     pam_reauthorize.so prepare
> 
> 
> Thanks,
> Ole
> 
> -- 
> Ole Holm Nielsen
> PhD, Senior HPC Officer
> Department of Physics, Technical University of Denmark
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Jorge Pereira
jpereira at networkradius.com

More information about the Freeradius-Users mailing list