Hi, I thought this would be easy but now I'm wondering if it will be possible at all. We are transitioning to a DMZ for all ssh logins. During phase one, people will use a standard (but different than internal) password which will be obtained either through LDAP or the passwd module (we just haven't picked one yet, either should be fine).
But eventually the DMZ ssh will need to be OTP. So I wanted to be able to offer OTP as an option during transition for people to try out and get used to while still being able to use their other traditional password. So fallback in the case of one method (e.g. LDAP) being unavailable is pretty easy. But in this case both methods would be available, and I'd want to test the password against both methods. Is this even possible? It seems like once it has found a working module in authorize, it can only use that one module in authenticate. What's the solution? tom tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html