how to configure freeradius for separate Code and Password prompts, instead of a single Password prompt?

Question

I've got a Freeradius server set up where the users in /etc/freeradius/users have Auth-Type := PAM. This makes radius refer to the /etc/pam.d/radiusd file, and in this file I have

auth requisite pam_google_authenticator.so forward_pass
auth sufficient pam_unix.so use_first_pass

This works fine, but the issue is that it prompts only for a single Password, and the user is supposed to concatenate their unix password + google auth code. Then the google_authenticator module strips out the auth code, checks it, and forwards the remainder of the password to the next module.

As I said, it works fine, but I would like the user to be prompted twice: the first time for the Verification Code, and the second time for the unix Password. How to do this?

There's no way to do this. Which is why this procedure exists! — Michael Hampton, Jan 16 '16 at 18:25
can you elaborate. does the radius server not have the capability to prompt twice? — Michael Martinez, Jan 16 '16 at 20:03
There is absolutely nothing in the protocol for two factor authentication. — Michael Hampton, Jan 16 '16 at 20:04
if this is the case, then why does the pam_radius_auth.so module have options for "prompt" and "force_prompt", whose purpose, according to the docs, is: "useful for multi-factor authentication when presenting the same prompt twice might confuse users ..." ... ? — Michael Martinez, Jan 16 '16 at 20:07

how to configure freeradius for separate Code and Password prompts, instead of a single Password prompt?

0 Answers0