I have installed the pam radius rpm package, and successfully configured /etc/pam.d/sshd, /etc/ssh/sshd_config, & /etc/pam_radius.conf. I know it is working, as i am getting a push notification to my handheld device after i enter my password. When I approve the push notification i am able to log in. My concern is, why am i not being prompted to enter the Verification Code if i don't respond via the out of band notification. Whats even more odd is, on our debian based systems (Ubuntu), it works as expected. Seems only redhat based systems have the issue.
Current Behavior: I am only able to respond out of band to confirm the 2FA authentication. If I fail to respond I am then prompted for the password again, instead of the Verification Code.
Expected Behavior: If i fail to respond to the out of band notification (ie phone in airplane mode) ssh should failover and prompt for a "Verification code"
Thanks in advance.
/etc/ssh/sshd_config
ChallengeResponseAuthentication yes
UsePAM yes
/etc/pam.d/sshd
#%PAM-1.0
auth sufficient pam_radius_auth.so
Logfile /var/log/secure
Jan 12 17:26:51 mddirector sshd[9242]: pam_radius_auth: Got user name username
Jan 12 17:26:54 mddirector sshd[9242]: pam_radius_auth: Sending RADIUS request code 1
Jan 12 17:26:54 mddirector sshd[9242]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 411494816.
Jan 12 17:27:09 mddirector sshd[9242]: pam_radius_auth: RADIUS server 10.1.69.126 failed to respond
Jan 12 17:27:09 mddirector sshd[9242]: pam_radius_auth: All RADIUS servers failed to respond.
Jan 12 17:27:09 mddirector sshd[9242]: pam_radius_auth: authentication failed
Jan 12 17:27:09 mddirector unix_chkpwd[9303]: password check failed for user (username)
Jan 12 17:27:09 mddirector sshd[9242]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=username
Jan 12 17:27:12 mddirector sshd[9240]: error: PAM: Authentication failure for username from ::1
Jan 12 17:27:12 mddirector sshd[9304]: pam_radius_auth: Got user name username
