Multi-stage PAM authentication

Alan DeKok aland at
Tue Jun 12 19:52:53 CEST 2018

On Jun 12, 2018, at 12:07 PM, Rothstein, Joseph <joseph.rothstein at> wrote:
> We have developed a token-based PAM library to perform authentication on
> stand-alone systems. Tokens are requested from a corporate portal, and are
> issued for a specific user, device, and time period. Each group os devices
> has their own key, and this key is then used to "de-crypt" the token and
> confirm validity period.
> We would like to adapt this PAM library to support FortiGate admin
> logon against a radius server with the PAM module installed.

  The FreeRADIUS PAM plugin (rlm_pam) doesn't support challenge-response.

  It's better to just have FreeRADIUS do the queries directly.  The "rest" module supports querying REST interfaces. so that should work.

  If that isn't good enough, it should be simple to adapt your code to create a custom FreeRADIUS plugin.  That will work *much* better than going through layers of PAM.

  Alan DeKok.

More information about the Freeradius-Users mailing list