Exercising Challenge/Response code path in pam client?

Richard Perrin rcp at sentientmeat.ca
Sat Sep 24 15:43:02 CEST 2016

On Fri, Sep 23, 2016 at 8:46 PM, Alan DeKok <aland at deployingradius.com> wrote:
> On Sep 23, 2016, at 3:40 PM, Richard Perrin <rcp at sentientmeat.ca> wrote:
> [...]
>> Which of the existing methods would you select for least friction in
>> configuring?
>   You can't just pick something and implement it.  You need *reasons* to implement challenge-response.  If you don't have reasons, you don't need it.

My reason is that I'm integrating the pam-radius-auth client into a
product and need to verify the full client functionality. I need to
create a lasting test-bed that simulates a target deployment that
would be using Challenge/Response authentication. I'm familiar with
configuring and implementing PAM modules, but this is the first time I
haven't had a pre-deployed RADIUS server to test against. So, I'm
setting freeradius server up and configuring it for the first time.
Thus, I'll re-iterate my original request:

I'm seeking a simple as possible config for freeradius server (now
version 3.0.11) that would allow me to exercise the Challenge/Response
path in the pam client (packaged on Ubuntu 14.04 as

An additional detail is that I'm using the radius pam module for the
login and ssh services.

I looked at the rlm_otp module, but found the otpd codebase is
dormant. rlm_eap may be where I end up, but the breadth of options
there seems like I'll spend a lot of time figuring out the
configuration. rlm_yubikey, rlm_securid, and rlm_smsotp require
devices or infrastructure I don't currently have, but could obtain if
warranted. Of the other modules that grep for CHALLENGE,
rlm_preprocess, rlm_example, rlm_replicate don't seem suitable. So
rlm_cram, rlm_mschap, rlm_chap or rlm_eap seem like the best
candidates. EAP has documentation, which the others lack.

Is there one that seems like the winner for ease of configuration for

- Richard

More information about the Freeradius-Users mailing list