How to handle challenge response using PAM auth in FreeRadius

John Dennis jdennis at
Mon Mar 15 17:56:51 CET 2010

On 03/15/2010 12:16 PM, Rajendra Hegde wrote:
> Hello,
> I am developing a PAM module for radius server.
> The radius server is configured to use PAM auth.
> It reads /etc/pam.d/radiusd and loads it on receiving auth request.
> The PAM module talks to external Authentication server and sometimes
> gets back "Challenge Respose".
> How can this be returned back to radius server from pam_sm_authenticate
> from my PAM module ?
> Please note that this is different than what pam_radius_auth.c does.
> pam_radius_auth.c talks to radius directly via network
> where as my module directly gets loaded by Radius.
> Why should not there be a way to return "Challenge Respose"
> from linux PAM back to it's loader ?
> Can this possible linux limitation be overcome by radius calling another
> exported function for
> PAM module covering all scenarios including "Challenge Response" ?
> Where should I look into in the freeradius codebase, if I were to
> add that functionality ?
> with best regards,

Your question is a bit muddled. I'm not sure if you asking how to 
forward the challenge through RADIUS back to the client or if you're 
just asking how to handle a pam "conversation" within your 
authentication module. If it's the former, then the answer is you can't 
do that in general. On the other hand if all you want to know is how to 
handle a pam conversation the take a look at rlm_pam.c and see the 
function PAM_conv and read the man page for pam_conv.

John Dennis <jdennis at>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list