First and foremost, this is a multi-faceted issue, involving several
pieces of software working together. If I should be asking in more (or
other) places please let me know. This has me at wits end.

Okay, I've been messing with sshd with pam_radius for a while under
FreeBSD. My goal is to use the template_user field such that I don't
have to add users to 30 separare boxes.

My radius password works totally fine when the user is in the password
file, but when the user is NOT, it would appear from the logs that
openssh is sending along EMPTY passwords (at least according to sshd in
debug mode, and radiusd in debug mode):

I'm posting this to the openssh dev list because quite frankly, other
daemons get it right. Login, telnetd, su, they all work. There's
something strange in the interactions with pam, and specifically the
way the password gets encrypted (and pam_radius doesn't have a debug
mode).

my /etc/pam.d/sshd file:

auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn
allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth sufficient pam_radius.so try_first_pass
template_user=admin
auth required pam_unix.so no_warn
try_first_pass

here's what I get on login with a good and a bad user:

ads-bsh-fwa1# ssh admin@localhost
RADIUS Password:
$ Connection to localhost closed.
ads-bsh-fwa1# ssh danm2@localhost
RADIUS Password:
RADIUS Password:
RADIUS Password:
danm2@localhost's password:
Permission denied, please try again.
danm2@localhost's password:

ads-bsh-fwa1#

This is what I get in my radius logs:

Starting - reading configuration files ...
Ready to process requests.
radrecv: Packet from host xx.xx.xx.210 code=1, id=230, length=65
User-Name = "danm3"
User-Password = "n\341(\322j|aK\342\264\364\317\300\334\321\331"
NAS-Identifier = "ads-bsh-fwa1"
Service-Type = Authenticate-Only
users: Matched danm3 at line 33
auth: Local
Sending Reject of id 230 to xx.xx.xx.210
Login incorrect: [danm3/
INCORRECT] (from nas ads-bsh-fwa1.xx/S0)
radrecv: Packet from host xx.xx.xx.210 code=1, id=185, length=65
User-Name = "danm3"
User-Password = "g\277'\032\" #\233R\270\364\301\367\322\261\201"
NAS-Identifier = "ads-bsh-fwa1"
Service-Type = Authenticate-Only
users: Matched danm3 at line 33
auth: Local
Sending Reject of id 185 to xx.xx.xx.210
Login incorrect: [danm3/
INCORRECT] (from nas ads-bsh-fwa1.xx/S0)

Things to try:

pam_radius_auth, here: http://www.freeradius.org/pam_radius_auth/USAGE