How to handle challenge response using PAM auth in FreeRadius

Rajendra Hegde Rajendra.hegde at
Mon Mar 15 18:12:28 CET 2010

The scenario is like this :
{remote client }  ----->  {radius}  ---> {PAM} ---->  {Extern Athenticator}
Now when the external authenticator sends challenge to PAM, I do not see  a easy way to pass the "challenge text" back to the radius.
Please note that pam_sm_authenticate allows either SUCCESS or FAILURE return
but not  "Challnege text" return.


From: John Dennis [mailto:jdennis at]
Sent: Mon 3/15/2010 12:56 PM
To: FreeRadius users mailing list
Cc: Rajendra Hegde
Subject: Re: How to handle challenge response using PAM auth in FreeRadius

On 03/15/2010 12:16 PM, Rajendra Hegde wrote:
> Hello,
> I am developing a PAM module for radius server.
> The radius server is configured to use PAM auth.
> It reads /etc/pam.d/radiusd and loads it on receiving auth request.
> The PAM module talks to external Authentication server and sometimes
> gets back "Challenge Respose".
> How can this be returned back to radius server from pam_sm_authenticate
> from my PAM module ?
> Please note that this is different than what pam_radius_auth.c does.
> pam_radius_auth.c talks to radius directly via network
> where as my module directly gets loaded by Radius.
> Why should not there be a way to return "Challenge Respose"
> from linux PAM back to it's loader ?
> Can this possible linux limitation be overcome by radius calling another
> exported function for
> PAM module covering all scenarios including "Challenge Response" ?
> Where should I look into in the freeradius codebase, if I were to
> add that functionality ?
> with best regards,

Your question is a bit muddled. I'm not sure if you asking how to
forward the challenge through RADIUS back to the client or if you're
just asking how to handle a pam "conversation" within your
authentication module. If it's the former, then the answer is you can't
do that in general. On the other hand if all you want to know is how to
handle a pam conversation the take a look at rlm_pam.c and see the
function PAM_conv and read the man page for pam_conv.

John Dennis <jdennis at>

Looking to carve out IT costs?


The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e-mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer.  Please see our legal details at
CRYPTOCard Inc. is registered in the province of Ontario, Canada with Business number 80531 6478.  CRYPTOCard Europe is limited liability company registered in England and Wales (with registered number 05728808 and VAT number 869 3979 41); its registered office is Aztec Centre, Aztec West, Almondsbury, Bristol, UK, BS32 4TD

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list