Creating a two man login module

Brian Candler b.candler at
Wed Oct 16 21:10:36 CEST 2013

On 16/10/2013 19:20, PEOPLES, MICHAEL P wrote:
> What I can't figure out is where do I code the prompts?  There are 
> suggestions that it is in one of the "getty" type processes, but I 
> cannot figure it.
You could try returning appropriate responses from the PAM "conversation 
function". In principle it ought to be able to engage in a 
challenge-response-challenge-response type of exchange. I don't have any 
sample code, but the pam_opie module might be a good starting point.

In practice, many clients of PAM (e.g. POP3 daemons) just collect a 
username and password and blindly squirt them at the conversation 
function, assuming that it will always be prompting for username and 
password respectively.

But if the login access method you are using supports this extended 
exchange, it *may* interact properly with PAM for it.

You are probably interested in console getty and/or ssh; and I think ssh 
v2 supports a "keyboard-interactive" exchange which I believe is a 

If you are writing a custom PAM module, you can make it do whatever you 
like to validate the two passwords - two separate RADIUS queries for 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Devel mailing list