Description of problem: The current version of pam_radius shipped in EPEL8 and EPEL9 isn't working in MFA (2FA) mode, if we bypass 2FA auth then only radius auth work, but if we include both (2FA) then it not works and password prompt repeating again and again and sending requests to radius server, as the first attempt of radius password is successful but 2nd password prompt for OS password not successful and they send it again to radius server, for example see below ssh infra.nabil.x.x password (enter radius password) --> successful auth as per radius logs. password (enter OS password) --> failed due to the request send again to radius server instead of local auth Here is the debug logs of pam.d/sshd Oct 31 02:37:28 Linux-9 sshd[3789900]: pam_radius_auth: Got user name infra.nabil Oct 31 02:37:28 Linux-9 sshd[3789900]: pam_radius_auth: ignore last_pass, force_prompt set Oct 31 02:37:54 Linux-9 sshd[3789900]: pam_radius_auth: Sending RADIUS request code 1 Oct 31 02:37:54 Linux-9 sshd[3789900]: pam_radius_auth: DEBUG: get_ipaddr(10.50.1.1) returned 0. Oct 31 02:37:54 Linux-9 sshd[3789900]: pam_radius_auth: Got RADIUS response code 2 Oct 31 02:37:54 Linux-9 sshd[3789900]: pam_radius_auth: authentication succeeded Oct 31 02:37:54 Linux-9 sshd[3789900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.50.3.117 user=infra.nabil Oct 31 02:37:56 Linux-9 sshd[3789893]: error: PAM: Authentication failure for infra.nabil from 10.50.3.117 Oct 31 02:37:56 Linux-9 sshd[3792074]: pam_radius_auth: Got user name infra.nabil Oct 31 02:37:56 Linux-9 sshd[3792074]: pam_radius_auth: ignore last_pass, force_prompt set Oct 31 02:38:24 Linux-9 sshd[3792074]: pam_radius_auth: Sending RADIUS request code 1 Oct 31 02:38:24 Linux-9 sshd[3792074]: pam_radius_auth: DEBUG: get_ipaddr(10.50.1.1) returned 0. Oct 31 02:38:25 Linux-9 sshd[3792074]: pam_radius_auth: Got RADIUS response code 3 Oct 31 02:38:25 Linux-9 sshd[3792074]: pam_radius_auth: authentication failed Oct 31 02:38:27 Linux-9 sshd[3789893]: error: PAM: Authentication failure for infra.nabil from 10.50.3.117 Version-Release number of selected component (if applicable): pam_radius-2.0.0-3.el9.x86_64 and 2.0.0-3.el8.x86_64 How reproducible: Steps to Reproduce: 1. yum install pam_radius on either EPEL8 or EPEL9 2. vi /etc/pam_radius.conf (enter radius server ip, port and secret) 3. vi /etc/pam.d/sshd and add below line in above to enable 2FA. #%PAM-1.0 auth required pam_radius_auth.so (this line need to add only on top) auth substack password-auth auth include postlogin 4) add user in OS and and setup password for it. useradd testuser passwd testuser 5) vi /etc/ssh/sshd_config, and do below changes. ChallengeResponseAuthentication yes PasswordAuthentication yes 6) systemctl restart sshd Actual results: ssh testuser.x.x password (enter radius password) --> auth Ok successful. password (enter OS password) --> failed , as this password request again going to radius server, instead to local auth, again popup password prompt password (enter OS password) --> failed again request goes to radius server. Expected results: ssh testuser.x.x password (enter radius password) --> radius auth Ok successful. password (enter OS password) --> local auth ok successful. user login to ssh successfully. Additional info: same thing working fine on pam_radius-1.4.0-15 on both EPEL8 and EPEL9, but after upgrade to version 2, it wont work as expected.
Any update on this please ?
I'm following the issue that you opened in pam_radius. I see you are getting good answers and suggestions there. Did you try them all?
(In reply to Iker Pedrosa from comment #2) > I'm following the issue that you opened in pam_radius. I see you are getting > good answers and suggestions there. Did you try them all? Thank you for the prompt response. Yes, i tried the all options including custom compile using master branch, but the result is same.
any update please @iker Pedrosa.
kindly please update on this. Thanks