Bug 2247227

Summary: pam_radius version 2 not woking with multi factor authentication/2FA
Product: [Fedora] Fedora EPEL Reporter: Muzi <muzammel.linux>
Component: pam_radiusAssignee: Iker Pedrosa <ipedrosa>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: epel8CC: alexander.m.scheel, ipedrosa
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Muzi 2023-10-31 12:09:52 UTC
Description of problem:
The current version of pam_radius shipped in EPEL8 and EPEL9 isn't working in MFA (2FA) mode, if we bypass 2FA auth then only radius auth work, but if we include both (2FA) then it not works and password prompt repeating again and again and sending requests to radius server, as the first attempt of radius password is successful but 2nd password prompt for OS password not successful and they send it again to radius server, for example see below

ssh infra.nabil.x.x

password (enter radius password) --> successful auth as per radius logs.
password (enter OS password) --> failed due to the request send again to radius server instead of local auth

Here is the debug logs of pam.d/sshd

Oct 31 02:37:28 Linux-9 sshd[3789900]: pam_radius_auth: Got user name infra.nabil
Oct 31 02:37:28 Linux-9 sshd[3789900]: pam_radius_auth: ignore last_pass, force_prompt set
Oct 31 02:37:54 Linux-9 sshd[3789900]: pam_radius_auth: Sending RADIUS request code 1
Oct 31 02:37:54 Linux-9 sshd[3789900]: pam_radius_auth: DEBUG: get_ipaddr(10.50.1.1) returned 0.
Oct 31 02:37:54 Linux-9 sshd[3789900]: pam_radius_auth: Got RADIUS response code 2
Oct 31 02:37:54 Linux-9 sshd[3789900]: pam_radius_auth: authentication succeeded
Oct 31 02:37:54 Linux-9 sshd[3789900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.50.3.117 user=infra.nabil
Oct 31 02:37:56 Linux-9 sshd[3789893]: error: PAM: Authentication failure for infra.nabil from 10.50.3.117
Oct 31 02:37:56 Linux-9 sshd[3792074]: pam_radius_auth: Got user name infra.nabil
Oct 31 02:37:56 Linux-9 sshd[3792074]: pam_radius_auth: ignore last_pass, force_prompt set
Oct 31 02:38:24 Linux-9 sshd[3792074]: pam_radius_auth: Sending RADIUS request code 1
Oct 31 02:38:24 Linux-9 sshd[3792074]: pam_radius_auth: DEBUG: get_ipaddr(10.50.1.1) returned 0.
Oct 31 02:38:25 Linux-9 sshd[3792074]: pam_radius_auth: Got RADIUS response code 3
Oct 31 02:38:25 Linux-9 sshd[3792074]: pam_radius_auth: authentication failed
Oct 31 02:38:27 Linux-9 sshd[3789893]: error: PAM: Authentication failure for infra.nabil from 10.50.3.117


Version-Release number of selected component (if applicable):
pam_radius-2.0.0-3.el9.x86_64 and 2.0.0-3.el8.x86_64

How reproducible:


Steps to Reproduce:
1. yum install pam_radius on either EPEL8 or EPEL9
2. vi /etc/pam_radius.conf (enter radius server ip, port and secret)
3. vi /etc/pam.d/sshd and add below line in above to enable 2FA.
#%PAM-1.0
auth       required     pam_radius_auth.so (this line need to add only on top)
auth       substack     password-auth 
auth       include      postlogin 

4) add user in OS and and setup password for it.
useradd testuser
passwd testuser

5) vi /etc/ssh/sshd_config, and do below changes.

ChallengeResponseAuthentication yes
PasswordAuthentication yes

6) systemctl restart sshd

Actual results:

ssh testuser.x.x
password (enter radius password) --> auth Ok successful.
password (enter OS password) --> failed , as this password request again going to radius server, instead to local auth, again popup password prompt
password (enter OS password) --> failed again request goes to radius server.


Expected results:
ssh testuser.x.x
password (enter radius password) --> radius auth Ok successful.
password (enter OS password) --> local auth ok successful.
user login to ssh successfully.

Additional info:
same thing working fine on pam_radius-1.4.0-15 on both EPEL8 and EPEL9, but after upgrade to version 2, it wont work as expected.

Comment 1 Muzi 2023-11-13 06:55:38 UTC
Any update on this please ?

Comment 2 Iker Pedrosa 2023-11-13 08:36:34 UTC
I'm following the issue that you opened in pam_radius. I see you are getting good answers and suggestions there. Did you try them all?

Comment 3 Muzi 2023-11-13 18:04:36 UTC
(In reply to Iker Pedrosa from comment #2)
> I'm following the issue that you opened in pam_radius. I see you are getting
> good answers and suggestions there. Did you try them all?

Thank you for the prompt response. Yes, i tried the all options including custom compile using master branch, but the result is same.

Comment 4 Muzi 2024-01-02 12:58:51 UTC
any update please @iker Pedrosa.

Comment 5 Muzi 2024-04-25 07:11:04 UTC
kindly please update on this. Thanks