I setup the pam_radius_auth.so in pam.d/sshd to verify the user using the remote Radius server. As the protocol, When used in an Access-Challenge, it MAY indicate a dialog message to prompt the user for a response. like following flow 1) server sends the access-challenge message with reply-message YOUR PASSWORD HAS EXPIRED. PLEASE ENTER THE NEW PASSWORD 2) client sedns back the access-Request message. 3) server sends another access-challenge message with reply-message PLEASE RE-ENTER THE NEW PASSWORD AGAIN FOR VERIFICATION 4) client sedns back the access-Request message again. I think the message flow is right, but at the point-2 and point-4, the prompt should be popped and ask us to input the passwd. However, our freeradius sends the access-Request automatically. Just checked the code, and not find the problem when doing access-chanllenge. the function rad_converse() calls pam_get_item(). I think it is only place to suspect, can this function pop the prompt? anyone encounter this problem? /* It's full challenge-response, we should have echo on */ retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, challenge, &resp2challenge); +++processing access-chanllenge code+++ while (response->code == PW_ACCESS_CHALLENGE) { attribute_t *a_state, *a_reply; char challenge[BUFFER_SIZE]; /* Now we do a bit more work: challenge the user, and get a response */ if (((a_state = find_attribute(response, PW_STATE)) == NULL) || ((a_reply = find_attribute(response, PW_REPLY_MESSAGE)) == NULL)) { /* Actually, State isn't required. */ _pam_log(LOG_ERR, "RADIUS Access-Challenge received with State or Reply-Message missing"); retval = PAM_AUTHINFO_UNAVAIL; goto error; } /* * Security fixes. */ if ((a_state->length <= 2) || (a_reply->length <= 2)) { _pam_log(LOG_ERR, "RADIUS Access-Challenge received with invalid State or Reply-Message"); retval = PAM_AUTHINFO_UNAVAIL; goto error; } memcpy(challenge, a_reply->data, a_reply->length - 2); challenge[a_reply->length - 2] = 0; DPRINT(LOG_DEBUG, "Got Prompt=%s",challenge); /* It's full challenge-response, we should have echo on */ retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, challenge, &resp2challenge); <<<<< here /* now that we've got a response, build a new radius packet */ build_radius_packet(request, user, resp2challenge, &config); /* request->code is already PW_AUTHENTICATION_REQUEST */ request->id++; /* one up from the request */ /* copy the state over from the servers response */ add_attribute(request, PW_STATE, a_state->data, a_state->length - 2); retval = talk_radius(&config, request, response, resp2challenge, NULL, 1); PAM_FAIL_CHECK; DPRINT(LOG_DEBUG, "Got response to challenge code %d", response->code); } +++code+++ +++log+++ May 28 23:12:13 sshd[20729]: pam_radius_auth: Sending RADIUS request code 1 May 28 23:12:13 sshd[20729]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -745295136. May 28 23:12:13 sshd[20729]: pam_radius_auth: Got RADIUS response code 11 May 28 23:12:13 sshd[20729]: pam_radius_auth: Got Prompt=YOUR PASSWORD HAS EXPIRED. PLEASE ENTER THE NEW PASSWORD: <<<< receive rely-message field May 28 23:12:13 sshd[20729]: pam_radius_auth: Got response to challenge code 11 May 28 23:12:13 sshd[20729]: pam_radius_auth: Got Prompt=PLEASE RE-ENTER THE NEW PASSWORD AGAIN FOR VERIFICATION: <<<< receive rely-message field May 28 23:12:18 sshd[20729]: pam_radius_auth: Got response to challenge code 3 May 28 23:12:18 sshd[20729]: pam_radius_auth: authentication failed +++log+++ -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-autoreply-the-access-chan... Sent from the FreeRadius - User mailing list archive at Nabble.com.