my first freeradius module

Brian Candler B.Candler at pobox.com
Sun Mar 13 08:38:01 CET 2011


On Fri, Mar 11, 2011 at 06:13:45PM -0300, Herbert Fischer wrote:
>    This module will do OTP two way authentication. It will extract part of
>    the password (ex.: latest 6 digits) to verify and the remaining
>    "password" will be returned to Freeradius to test against another
>    module (LDAP for example).
...
>    What do you suggest? Is there any other way to do this two way
>    authentication without needing to develop a module for it?

Have you looked in the src/modules directory? And you've seen that there's
src/modules/rlm_otp already?  If that does the OTP part in the way you need,
then splitting the password into two is easy.

    if (User-Password =~ /^(......)(.*)$/) {
        update request {
            # The OTP password for rlm_otp to check
            User-Password = "%{1}"
            # The remainder to check against mysql or ldap
            Tmp-String-0 = "%{2}"
        }
    }
    ... continue

See "man unlang" for the details. This won't work for
CHAP-Challenge/CHAP-Password, obviously - only PAP.

(rlm_otp appears to be undocumented, so if you want to update
http://wiki.freeradius.org/Rlm_otp as you work with it, that would be a
useful contribution)

Otherwise, to make a completely custom module which links against an
existing C library, you can start with rlm_example and borrow logic from
other modules as required.  But you're right, it's tricky to do properly.

If that were necessary, I'd say you'd be better off using rlm_perl or
rlm_python and writing the logic there.

Regards,

Brian.



More information about the Freeradius-Devel mailing list