Did some digging, and tried running the Radius server in debug/trace mode. I saw this: (0) Received Access-Request Id 227 from 172.21.12.17:54545 to 172.27.44.237:1812 length 96 (0) User-Name = "pprindeville2" (0) User-Password = "\010\n\r\177INCORRE" (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Identifier = "sshd" (0) NAS-Port = 334707 (0) NAS-Port-Type = Virtual (0) Service-Type = Authenticate-Only (0) Calling-Station-Id = "172.21.12.3" Which isn't remotely what I typed. Any ideas where this would get corrupted in the pipeline (well, I guess it's both a stack and a pipeline, depending on how you look at it)? Now the behavior has changed. The password is corrupted if the home directory exists or not. > On Oct 24, 2023, at 12:39 AM, Philip Prindeville <philipp_subx@xxxxxxxxxxxxxxxxxxxxx> wrote: > > I had a test client (Ubuntu 22.04) set up, and I was running tcpdump on the server (also Ubuntu, running Freeradius 3.0). > > I had created a username & password on the Radius server, and if I tried to log into the client with those credentials, it failed. > > But as soon as I created a "cut out" on the client (same username, but '*' password in the shadow file), I could log in because the server was no longer rejecting the authorization request. > > I don't get it. How would the server know if there was a local user or not? Nothing in the messages seem to be different, other than the things you'd expect (the message id, and the random seed that the password gets hashed with). All other parts of the message were identical. > > How was the client conveying to the server that there wasn't a local account present? > > Thanks > -- You received this message because you are subscribed to the Google Groups "pam-list@xxxxxxxxxx" group. To unsubscribe from this group and stop receiving emails from it, send an email to pam-list+unsubscribe@xxxxxxxxxx.