freeradius using pam_oath doesn't return otp challenge

[Martin Kraus]

Hi.

I'd like to have freeradius authenticate users using their password (for
simplicity I'm using /etc/shadow now) and TOTP through liboath. I was hoping
to
use freeradius to centralize this. PAM looked like the easiest way.

I'm using freeradius 2.1.12 from debian wheezy.

PAM confiuration is simple:

auth required pam_unix.so nullok_secure
auth requisite pam_oath.so usersfile=/etc/users.oath debug

On the testing machine runnning freeradius this works great for su:

<root|lex>[pam.d]# su
Password:
[pam_oath.c:parse_cfg(118)] called.
[pam_oath.c:parse_cfg(119)] flags 0 argc 3
[pam_oath.c:parse_cfg(121)] argv[0]=usersfile=/etc/users.oath
[pam_oath.c:parse_cfg(121)] argv[1]=window=1
[pam_oath.c:parse_cfg(121)] argv[2]=debug
[pam_oath.c:parse_cfg(122)] debug=1
[pam_oath.c:parse_cfg(123)] alwaysok=0
[pam_oath.c:parse_cfg(124)] try_first_pass=0
[pam_oath.c:parse_cfg(125)] use_first_pass=0
[pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath
[pam_oath.c:parse_cfg(127)] digits=0
[pam_oath.c:parse_cfg(128)] window=1
[pam_oath.c:pam_sm_authenticate(157)] get user returned: root
One-time password (OATH) for `root':

After entering the passord the pam_oath module sends the challenge for OTP and
then it authenticates me. SSH works well as well.
However when I run freeradius I never get the challenge:

pam_pass: using pamauth string <radiusd> for pam.conf lookup
[pam_oath.c:parse_cfg(118)] called.
[pam_oath.c:parse_cfg(119)] flags 0 argc 3
[pam_oath.c:parse_cfg(121)] argv[0]=usersfile=/etc/users.oath
[pam_oath.c:parse_cfg(121)] argv[1]=window=1
[pam_oath.c:parse_cfg(121)] argv[2]=debug
[pam_oath.c:parse_cfg(122)] debug=1
[pam_oath.c:parse_cfg(123)] alwaysok=0
[pam_oath.c:parse_cfg(124)] try_first_pass=0
[pam_oath.c:parse_cfg(125)] use_first_pass=0
[pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath
[pam_oath.c:parse_cfg(127)] digits=0
[pam_oath.c:parse_cfg(128)] window=1
[pam_oath.c:pam_sm_authenticate(157)] get user returned: root
[pam_oath.c:pam_sm_authenticate(232)] conv returned: karel
[pam_oath.c:pam_sm_authenticate(248)] OTP too short: karel
[pam_oath.c:pam_sm_authenticate(322)] done. [Authentication failure]
pam_pass: function pam_authenticate FAILED for <root>. Reason: Authentication
failure

It seems it gets passed the first password even though try_first_pass nor
use_first_pass are set for the pam_oath module. It looks like freeradius
passes it the User-Password attribute.
Is this a problem in freeradius or the pam stack or am I doing something
wrong?

I was expecting to get a radius access-challenge proxying the pam_oath
challenge similar to how ssh takes care of this.

Is there a way to get this setup working? I'd like to use the ldap passwords
for users so I'm trying to avoid plaintext secrets in oath configuration.

So far it seems I cannot use more then one authentication method in freeradius
so pam or some custom module seem like the only two options.

thank for pointers
Martin