freeradius and yubikeys

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri May 9 13:02:38 CEST 2014


On 9 May 2014, at 11:14, Frederic Van Espen <frederic.ve at gmail.com> wrote:

> On Fri, May 9, 2014 at 9:11 AM, Arran Cudbard-Bell
> <a.cudbardb at freeradius.org> wrote:
>> Which you'd get if you rolled your own packages, and hey you'd actually be
>> contributing something, because if you came across any defects, you might
>> actually be able to provide useful debugging info.
> 
> I now have version 3.0.2 up and running with rlm_yubikey. For this
> testing setup, I'm simply trying to validate to the public yubicloud
> server using the validate mode.
> 
> When I was using the rlm_perl based module, I was able to enter a user
> password, followed by the OTP token. The perl module extracted the OTP
> and passed on the user password for further authentication (in my case
> LDAP). Now when I use radtest like this:
> root at obelix-clone:/usr/src# radtest fes
> testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr 127.0.0.1
> 0 testing123
> Sending Access-Request of id 85 from 0.0.0.0 port 56523 to 127.0.0.1 port 1812
> User-Name = 'fes'
> User-Password = 'testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr'
> NAS-IP-Address = 172.16.35.65
> NAS-Port = 0
> Message-Authenticator = 0x00
> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=85, length=20
> 
> 
> Here's the output of the server:
> rad_recv: Access-Request packet from host 127.0.0.1 port 56523, id=85,
> length=121
> User-Name = 'fes'
> User-Password = 'testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr'
> NAS-IP-Address = 172.16.35.65
> NAS-Port = 0
> Message-Authenticator = 0xf4c430ea058e22ef07ef239f42b0270f
> Fri May  9 11:52:20 2014 : Debug: (0) # Executing section authorize
> from file /etc/freeradius/sites-enabled/default
> Fri May  9 11:52:20 2014 : Debug: (0)   authorize {
> Fri May  9 11:52:20 2014 : Debug: (0)   modsingle[authorize]: calling
> preprocess (rlm_preprocess) for request 0
> Fri May  9 11:52:20 2014 : Debug: (0)   modsingle[authorize]: returned
> from preprocess (rlm_preprocess) for request 0
> Fri May  9 11:52:20 2014 : Debug: (0)   [preprocess] = ok
> Fri May  9 11:52:20 2014 : Debug: (0)   modsingle[authorize]: calling
> yubikey (rlm_yubikey) for request 0
> Fri May  9 11:52:20 2014 : Debug: (0) yubikey : User-Password value is
> not the correct length, expected 44, got 59

^ Look at me, look at me, i'm the reason why it's not working, look at me look at me.

> Fri May  9 11:52:20 2014 : Debug: (0)   modsingle[authorize]: returned
> from yubikey (rlm_yubikey) for request 0
> Fri May  9 11:52:20 2014 : Debug: (0)   [yubikey] = noop
> Fri May  9 11:52:20 2014 : Debug: (0)    if (ok)
> Fri May  9 11:52:20 2014 : Debug: (0)    if (ok)  -> FALSE
> 
> Do you know of any way to regain the behaviour of the rlm_perl based
> module (user password AND OTP token for two factor authentication)?
> Should I maybe handle that in the configuration?

The scheme of concatenating the password with the token string is user defined.
The yubikey module checks you've performed the split correctly, by looking at
the length of the User-Password. It cannot split out the password + OTP token
for you as it does not know your concatenation scheme. The yubikey module 
restricts you to straight concatenation with no separator, FreeRADIUS lets you
use any scheme.

If you're doing 2FA as a single round with password + OTP concatenation, you
need something like:

authorize {
# 44 is OTP len + ID Len
if (User-Password =~ /^(.*)([cbdefghijklnrtuv]{44})$/) {
	update request {
		User-Password = "%{2}"
	}
	yubikey
	if (ok) {
		update request {
			User-Password := "%{1}"
		}
	}	
}
<insert modules to get control:Password-With-Header or control:*-Password, ldap, files etc...>
pap
}

If you look, that's almost exactly what the perl module does.

The above will work for normal PAP auth as well as Yubikey auth, as normal 
passwords are never likely to be that long and consist of modhex chars.

AFAIK yubico don't authenticate passwords centrally, just the OTP codes.
If that's changed and the API allows the user's password to be sent in some
form I can take a look at updating the module, but I don't believe it has.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140509/951ce327/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140509/951ce327/attachment.pgp>


More information about the Freeradius-Users mailing list