freeradius and yubikeys
Frederic Van Espen
frederic.ve at gmail.com
Fri May 9 16:49:05 CEST 2014
On Fri, May 9, 2014 at 3:52 PM, Arran Cudbard-Bell
<a.cudbardb at freeradius.org> wrote:
> I've fixed it in v3.0.x HEAD (which will become 3.0.3 very soon) so that
> it just works. If you could test it'd be very much appreciated :)
>
> For your setup with LDAP and crypt, it'd be something like:
> authorize {
> yubikey
> ldap
> }
>
> authenticate {
> Auth-Type yubikey {
> yubikey
> pap
> }
> }
Alas, does not seem to work with the configuration you suggest :-(
Relevant configuration files and debug output:
mods-enabled/yubikey:
yubikey {
split = yes
decrypt = no
validate = yes
validation {
servers {
}
client_id = XXXXX
api_key = 'OBSCURED'
pool {
start = 5
min = 4
max = 10
spare = 3
uses = 0
lifetime = 0
idle_timeout = 60
spread = yes
}
}
}
sites-enabled/default:
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
authorize {
preprocess
yubikey
-ldap
expiration
logintime
}
authenticate {
Auth-Type yubikey {
yubikey
pap
}
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
-sql
exec
attr_filter.accounting_response
}
session {
}
post-auth {
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
}
pre-proxy {
}
post-proxy {
eap
}
}
and the debugging output:
Received Access-Request Id 9 from 127.0.0.1:37537 to 127.0.0.1:1812 length 121
User-Name = 'fes'
User-Password = 'testingpasswordccccccdbkebjkgfkgdrvthntvckrnifbicgrdgrldigl'
NAS-IP-Address = 172.16.35.65
NAS-Port = 0
Message-Authenticator = 0x9c976b6fd97fd7fc4d98acd97be8fc27
Fri May 9 16:41:15 2014 : Debug: (0) # Executing section authorize
from file /etc/freeradius/sites-enabled/default
Fri May 9 16:41:15 2014 : Debug: (0) authorize {
Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: returned
from preprocess (rlm_preprocess) for request 0
Fri May 9 16:41:15 2014 : Debug: (0) [preprocess] = ok
Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: calling
yubikey (rlm_yubikey) for request 0
Fri May 9 16:41:15 2014 : Debug: (0) yubikey : User-Password
(aes-block) value contains non modhex chars
Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: returned
from yubikey (rlm_yubikey) for request 0
Fri May 9 16:41:15 2014 : Debug: (0) [yubikey] = noop
Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: calling
ldap (rlm_ldap) for request 0
Fri May 9 16:41:15 2014 : Debug: rlm_ldap (ldap): Reserved connection (4)
Fri May 9 16:41:15 2014 : Debug: (uid=%{%{Stripped-User-Name}:-%{User-Name}})
Fri May 9 16:41:15 2014 : Debug: Parsed xlat tree:
Fri May 9 16:41:15 2014 : Debug: literal --> (uid=
Fri May 9 16:41:15 2014 : Debug: if {
Fri May 9 16:41:15 2014 : Debug: attribute --> Stripped-User-Name
Fri May 9 16:41:15 2014 : Debug: {
Fri May 9 16:41:15 2014 : Debug: ref 2
Fri May 9 16:41:15 2014 : Debug: list 1
Fri May 9 16:41:15 2014 : Debug: tag -128
Fri May 9 16:41:15 2014 : Debug: }
Fri May 9 16:41:15 2014 : Debug: }
Fri May 9 16:41:15 2014 : Debug: else {
Fri May 9 16:41:15 2014 : Debug: attribute --> User-Name
Fri May 9 16:41:15 2014 : Debug: {
Fri May 9 16:41:15 2014 : Debug: ref 2
Fri May 9 16:41:15 2014 : Debug: list 1
Fri May 9 16:41:15 2014 : Debug: tag -128
Fri May 9 16:41:15 2014 : Debug: }
Fri May 9 16:41:15 2014 : Debug: }
Fri May 9 16:41:15 2014 : Debug: literal --> )
Fri May 9 16:41:15 2014 : Debug: (0) ldap : EXPAND
(uid=%{%{Stripped-User-Name}:-%{User-Name}})
Fri May 9 16:41:15 2014 : Debug: (0) ldap : --> (uid=fes)
Fri May 9 16:41:15 2014 : Debug: ou=People,dc=escaux,dc=com
Fri May 9 16:41:15 2014 : Debug: Parsed xlat tree:
Fri May 9 16:41:15 2014 : Debug: literal --> ou=People,dc=escaux,dc=com
Fri May 9 16:41:15 2014 : Debug: (0) ldap : EXPAND ou=People,dc=escaux,dc=com
Fri May 9 16:41:15 2014 : Debug: (0) ldap : --> ou=People,dc=escaux,dc=com
Fri May 9 16:41:15 2014 : Debug: (0) ldap : Performing search in
'ou=People,dc=escaux,dc=com' with filter '(uid=fes)', scope 'sub'
Fri May 9 16:41:15 2014 : Debug: (0) ldap : Waiting for search result...
Fri May 9 16:41:15 2014 : Debug: (0) ldap : User object found at DN
"uid=fes,ou=People,dc=escaux,dc=com"
Fri May 9 16:41:15 2014 : Debug: (0) ldap : Processing user attributes
Fri May 9 16:41:15 2014 : Debug: (0) ldap :
control:Password-With-Header +=
''{CRYPT}$6$rounds=1000$czjqtQQw5Sx6BURM$67zg9ok5r8IVTQNcQkdx1Mbi5A75gbHgt5I3oI/Z038MPg8htLLswallK.ou/r914j/0Tkwyuf92ZHsVg1DTz.''
Fri May 9 16:41:15 2014 : Debug: (0) ldap : Attribute "ntPassword"
not found in LDAP object
Fri May 9 16:41:15 2014 : Debug: rlm_ldap (ldap): Released connection (4)
Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: returned
from ldap (rlm_ldap) for request 0
Fri May 9 16:41:15 2014 : Debug: (0) [ldap] = ok
Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: calling
expiration (rlm_expiration) for request 0
Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: returned
from expiration (rlm_expiration) for request 0
Fri May 9 16:41:15 2014 : Debug: (0) [expiration] = noop
Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: calling
logintime (rlm_logintime) for request 0
Fri May 9 16:41:15 2014 : Debug: (0) modsingle[authorize]: returned
from logintime (rlm_logintime) for request 0
Fri May 9 16:41:15 2014 : Debug: (0) [logintime] = noop
Fri May 9 16:41:15 2014 : Debug: (0) } # authorize = ok
Fri May 9 16:41:15 2014 : ERROR: (0) No Auth-Type found: rejecting
the user via Post-Auth-Type = Reject
Fri May 9 16:41:15 2014 : Debug: (0) Failed to authenticate the user.
Fri May 9 16:41:15 2014 : Debug: (0) Using Post-Auth-Type Reject
Fri May 9 16:41:15 2014 : Debug: (0) # Executing group from file
/etc/freeradius/sites-enabled/default
Fri May 9 16:41:15 2014 : Debug: (0) Post-Auth-Type REJECT {
Fri May 9 16:41:15 2014 : Debug: (0) modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 0
Fri May 9 16:41:15 2014 : Debug: %{User-Name}
Fri May 9 16:41:15 2014 : Debug: Parsed xlat tree:
Fri May 9 16:41:15 2014 : Debug: attribute --> User-Name
Fri May 9 16:41:15 2014 : Debug: {
Fri May 9 16:41:15 2014 : Debug: ref 2
Fri May 9 16:41:15 2014 : Debug: list 1
Fri May 9 16:41:15 2014 : Debug: tag -128
Fri May 9 16:41:15 2014 : Debug: }
Fri May 9 16:41:15 2014 : Debug: (0) attr_filter.access_reject :
EXPAND %{User-Name}
Fri May 9 16:41:15 2014 : Debug: (0) attr_filter.access_reject : --> fes
Fri May 9 16:41:15 2014 : Debug: (0) attr_filter.access_reject :
Matched entry DEFAULT at line 11
Fri May 9 16:41:15 2014 : Debug: (0) modsingle[post-auth]: returned
from attr_filter.access_reject (rlm_attr_filter) for request 0
Fri May 9 16:41:15 2014 : Debug: (0) [attr_filter.access_reject] = updated
Fri May 9 16:41:15 2014 : Debug: (0) modsingle[post-auth]: calling
eap (rlm_eap) for request 0
Fri May 9 16:41:15 2014 : Debug: (0) eap : Request didn't contain an
EAP-Message, not inserting EAP-Failure
Fri May 9 16:41:15 2014 : Debug: (0) modsingle[post-auth]: returned
from eap (rlm_eap) for request 0
Fri May 9 16:41:15 2014 : Debug: (0) [eap] = noop
Fri May 9 16:41:15 2014 : Debug: (0) remove_reply_message_if_eap
remove_reply_message_if_eap {
Fri May 9 16:41:15 2014 : Debug: (0) if (reply:EAP-Message &&
reply:Reply-Message)
Fri May 9 16:41:15 2014 : Debug: (0) if (reply:EAP-Message &&
reply:Reply-Message) -> FALSE
Fri May 9 16:41:15 2014 : Debug: (0) else else {
Fri May 9 16:41:15 2014 : Debug: (0) modsingle[post-auth]: calling
noop (rlm_always) for request 0
Fri May 9 16:41:15 2014 : Debug: (0) modsingle[post-auth]: returned
from noop (rlm_always) for request 0
Fri May 9 16:41:15 2014 : Debug: (0) [noop] = noop
Fri May 9 16:41:15 2014 : Debug: (0) } # else else = noop
Fri May 9 16:41:15 2014 : Debug: (0) } #
remove_reply_message_if_eap remove_reply_message_if_eap = noop
Fri May 9 16:41:15 2014 : Debug: (0) } # Post-Auth-Type REJECT = updated
Fri May 9 16:41:15 2014 : Debug: (0) Delaying response for 1 seconds
Fri May 9 16:41:15 2014 : Debug: Waking up in 0.3 seconds.
Fri May 9 16:41:16 2014 : Debug: Waking up in 0.6 seconds.
Fri May 9 16:41:16 2014 : Debug: (0) Sending delayed response
Sending Access-Reject Id 9 from 127.0.0.1:1812 to 127.0.0.1:37537
Fri May 9 16:41:16 2014 : Debug: Waking up in 3.9 seconds.
Fri May 9 16:41:20 2014 : Debug: (0) Cleaning up request packet ID 9
with timestamp +11
Fri May 9 16:41:20 2014 : Info: Ready to process requests.
Let me know if there is anything more that you need tested.
Frederic
More information about the Freeradius-Users
mailing list