I'm using pam_radius_auth with 'skip_passwd' to talk to FreeRADIUS, and seem to be receiving garbage passwords in the initial request, instead of the empty password I expected. (USAGE says pam_radius_auth sends a "NULL" password, but I don't know if it means the User-Password field is to be zero-length, zero-filled, or nonexisting.) PAM config: auth required pam_radius_auth-1.4.0.so debug skip_passwd The User-Password contained in the initial request appears as 16 random-looking bytes:
------------- freeradius -X rad_recv: Access-Request packet from host 127.0.0.1 port 41394, id=210, length=72 User-Name = "user" User-Password = "\222\350)\2304Z@ \374\217G>߇<\t" ...
rlm_perl: test.pl: RAD_REQUEST: User-Password = '\222\350)\2304Z@ \374\217G>�?<\t' rlm_perl: Added pair User-Password = \222\350)\2304Z@ \374\217G>�?<\t
The "rlm_perl: test.pl" line comes from a perl script that just prints the received values, like example.pl. If I give an empty response to a password prompt, I get the empty password as expected:
------------- freeradius -X rad_recv: Access-Request packet from host 127.0.0.1 port 41394, id=211, length=71 User-Name = "user" User-Password = ""
rlm_perl: test.pl: RAD_REQUEST: User-Password = '' rlm_perl: Added pair User-Password =
This works with both the initial password prompt if skip_passwd is not set, and in replies to any Access-Challenges sent later on. I don't think this is the expected behaviour given the documentation, any thoughts?