We recently had a customer that wanted to check a password against AD via kerberos and then an one-time passcode against a WiKID Strong Authentication server via radius. We found that PAM passed the AD password to our OTP server, which failed. We have added a pam option "always prompt" in the attached code. This will force a "WiKID passcode:" prompt regardless of any previous password entry. The /etc/pam.d/sshd file looks like: Here's the /etc/pam.d/sshd: #%PAM-1.0 auth required /lib/security/pam_krb5.so auth requisite /lib/security/pam_radius_auth.so always_prompt account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so No changes to system-auth were made. The /etc/ssh/sshd_config looks like: Protocol 2 SyslogFacility AUTHPRIV PasswordAuthentication yes ChallengeResponseAuthentication yes GSSAPIAuthentication yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL X11Forwarding yes UseDNS no Subsystem sftp /usr/libexec/openssh/sftp-server The key change is that ChallengeResponseAuthentication is yes. Hopefully, others will find this of use. Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication