Problem with external authentication script
Alan DeKok
aland at deployingradius.com
Mon Jun 8 12:59:20 CEST 2009
Stefan Kuegler wrote:
> I want to use MOTP for authentication. MOTP uses a shell-script
> (/usr/local/bin/otpverify.sh) to verify the given password. The script
> needs five arguments (User, One-Time-Password, Secret, PIN and Offset).
Where do those arguments come from?
> My system is a fresh installation of freeradius on a Debian/Lenny system.
>
> I did the following changes on the following config-files:
>
> 1. A new dictionary-file (included in /etc/freeradius/dictionary):
> /etc/freeradius/dictionary.motp
> -------------------------------
> ATTRIBUTE Secret 960 string
> ATTRIBUTE PIN 961 string
> ATTRIBUTE Offset 962 string
That defines the attributes. Now, where do the values get populated?
> 2. A new module in
> /etc/freeradius/radiusd.conf (modules-section):
> ----------------------------
> [...]
> exec motp {
> wait = yes
> program = "/usr/local/bin/otpverify.sh %{User-Name}
> %{User-Password} %{Secret} %{PIN} %{Offset}"
> input_pairs = request
> output_pairs = config
> }
> [...]
The %{...} syntax replaces the given string with the *value* of the
named attributed. Where are you setting these values?
> The main-problem is: freeradius didn't call the script with all the
> needed arguments - so the authentication failes:
>
> [...]
> expand: /usr/local/bin/otpverify.sh '%{User-Name}'
> '%{User-Password}' '%{Secret}' '%{PIN}' '%{Offset}' ->
> /usr/local/bin/otpverify.sh 'stefan' '123' '' '' ''
Because you haven't define any values for those attributes.
Alan DeKok.
More information about the Freeradius-Users
mailing list