SSH auth with FreeRADIUS

Alan DeKok aland at
Sun Sep 4 23:43:25 CEST 2016

On Sep 4, 2016, at 3:42 PM, Janis Heller <janis.heller at> wrote:
> I would like to use FreeRADIUS to handle all SSH logins to my servers. Of course a „emergency“ login with a user registered on the server should be possible too (in case of RADIUS server is offline etc.).
> Now when I try to login as for example user test, the following code is shown at RADIUS debug:
> Ready to process requests
> (10) Received Access-Request Id 151 from XY to XY:1812 length 90
> (10)   User-Name = "test"
> (10)   User-Password = "\010\n\r\177INCORRECT"

  You will note that isn't your password.

> It seems like there is some kind of PAM module running before the RADIUS pam module. Any idea how to get this fixed? Looking into my sshd file of RADIUS I can’t see a pam module running before.

  The user isn't available on the local system.

  PAM does passwords.  It doesn't do UID, GID, shell, etc.  When it notices that someone without a UID is logging in, it butchers the password with a very helpful (i.e. stupid) message.

  You will need to configure a local user.  Then, authenticate that user via RADIUS.

  Alan DeKok.

More information about the Freeradius-Users mailing list