How to do FreeRADIUS understand the ssh encrypted password that is passed?

Alan DeKok aland at
Thu Jul 27 21:38:27 CEST 2017

On Jul 27, 2017, at 3:27 PM, Kalil de A. Carvalho <kalilac at> wrote:
> Here the parts of debug output that it is important, I think:


> "My *guess* is that the SSH session is set up to use PAM.  And that PAM is
> mangling to the password to "invalid" or some such string." <- you ware
> right!
> Received Access-Request Id 51 from IP_SOURCE:10722 to SERVER_RADIUS:1812
> length 89
> User-Name = 'bo01'
> User-Password = '\010\n\r\177INCORRECT'

  As I said.

  The problem is in PAM.  No amount of poking FreeRADIUS will make it work.

  One of the other PAM modules is failing to find the user locally, and is mangling the password to "INCORRECT".

  PAM *requires* that users have local accounts.  i.e. UID, GID, shell, etc.  PAM *cannot* authenticate users who don't have local accounts.

  PAM is only for doing remote password checks.  Not for remotely creating users.

  Alan DeKok.

More information about the Freeradius-Users mailing list