I've got a Freeradius server set up where the users in /etc/freeradius/users have Auth-Type := PAM
. This makes radius refer to the /etc/pam.d/radiusd file, and in this file I have
auth requisite pam_google_authenticator.so forward_pass
auth sufficient pam_unix.so use_first_pass
This works fine, but the issue is that it prompts only for a single Password, and the user is supposed to concatenate their unix password + google auth code. Then the google_authenticator module strips out the auth code, checks it, and forwards the remainder of the password to the next module.
As I said, it works fine, but I would like the user to be prompted twice: the first time for the Verification Code, and the second time for the unix Password. How to do this?