The above linked PR is ready for review by a maintainer. I've tried to cherry-pick only the most relevant commits from the upstream. The build was tested in the vyos-build container (as modified in https://vyos.dev/T7300) after each commit and the overall authentication flow was tested once as described in the PR.

https://github.com/vyos/vyos-build/pull/939

I have drafted https://github.com/vyos/libpam-radius-auth/pull/9 with the relevant commits cherry-picked from the upstream FreeRADIUS repo. I haven't been able to test the build yet due to some (probably) unrelated issues with apt in a Debian container.

PR https://github.com/vyos/vyos-1x/pull/4323

Line 86 in python/vyos/utils/process.py breaks the git commit-archive functionality since it passes a list to the rc_cmd function which eventually gets passed to popen. The new line added for this wrapper converts the list to a string similar to "['git', 'clone', 'git@<github url>', '/tmp/git-commit-archive-ypvbmg7z/repository', '--depth=1']". Since there is no wrapper, the command becomes a space followed by that string rather than the intended git clone git@<github url> /tmp/git-commit-archive-ypvbmg7z/repository --depth=1. I expect it would be better if get_wrapper returned a similar list, then if the passed in command is a string, join the wrapper and prepend to the string, otherwise if the command is a list prepend the elements of the wrapper to the list.

PR https://github.com/vyos/vyos-1x/pull/4303