First of all let me say that I am using: FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu. I am trying to configure pam-radius-auth and freeRADIUS to allow users to ssh into a box and radius will appropriately match their permissions and etc. I've come across a problem that I am unable to solve, (I have a little over two months of experience with linux and even less with RADIUS and PAM) I have managed to get freeRADIUS running and I can do; 'radtest steve testing localhost 10 testing123' And i receive; Access-Accept packet from host 127.0.0.1 port 1812, id=114, length=71 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Filter-Id = "std.ppp" Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Now my problem occurs when I attempt to switch over to using ssh. I have configures the files; (The beginning of) /etc/pam.d/sshd auth required pam_env.so # [1] auth required pam_env.so envfile=/etc/default/locale auth sufficient /lib/security/pam_radius_auth.so debug @include common-auth ... And the matching shared secret for the server and pam_radius_auth.conf I've notices something in the logs which i have marked with '****'. Anyhelp is greatly appreciated. Here is the relavent part of the log from radiusd -X Using 'radtest steve testing localhost 10 testing123' rad_recv: Access-Request packet from host 127.0.0.1 port 58878, id=34, length=57 User-Name = "steve" User-Password = "testing" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "steve", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry steve at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "testing" [pap] Using clear text password "testing" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 34 to 127.0.0.1 port 58878 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = "std.ppp" Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 34 with timestamp +16 Ready to process requests. Using 'ssh steve@localhost' password: testing rad_recv: Access-Request packet from host 127.0.0.1 port 26561, id=106, length=83 User-Name = "steve" User-Password = "\010\n\r\177INCORRECT" **** NAS-IP-Address = 127.0.0.1 NAS-Identifier = "sshd" NAS-Port = 25536 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "wisdur" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "steve", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry steve at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "? INCORRECT" **** [pap] Using clear text password "testing" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> steve attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 106 to 127.0.0.1 port 26561 Waking up in 4.9 seconds. Cleaning up request 1 ID 106 with timestamp +36 Ready to process requests.