freeradius and yubikeys
Frederic Van Espen
frederic.ve at gmail.com
Sat May 10 09:06:33 CEST 2014
On Sat, May 10, 2014 at 1:37 AM, Arran Cudbard-Bell
<a.cudbardb at freeradius.org> wrote:
>
> Ah, yes, I accidentally fixed it.
>
> https://github.com/FreeRADIUS/freeradius-server/commit/34dd540de3ac66c659e3d9f271f62751ab4c9d67#diff-dbe11f71860dd5f560f97273854f73baL288
>
> Was reading len bytes, should of only been 44 :)
>
>> Output is different
>> this time and I'm doing the same thing with the same config. I'm
>> starting it by running "freeradius -Xx" as you suggested. Looks like
>> the authorize section worked correctly (it set Auth-Type to yubikey),
>> but then authentication part fails (BAD_SERVER_SIGNATURE):
>
> Hm, that apparently means that the API key was incorrect. Double check the config?
I don't believe the configuration was changed, and it was working on
3.0.2 with the password and token splitting done in the vhost config.
I'll test later today with version 3.0.2 again to confirm.
> valgrind --leak-check=full <path to freeradius> <args> -m
>
> I guess it could be memory corruption...
Here's the output from valgrind. Admittedly, this is relatively
unknown grounds for me so I don't really know what the output means,
but at least it is indeed doing some output where rlm_yubikey is
concerned:
Ready to process requests.
Received Access-Request Id 160 from 127.0.0.1:34487 to 127.0.0.1:1812 length 121
User-Name = 'fes'
User-Password = 'testingpasswordccccccdbkebjgjjgnhrrgtdlderdhtjtnhknrlhtgbbn'
NAS-IP-Address = 172.16.35.65
NAS-Port = 0
Message-Authenticator = 0x4fa072c8817ccaa12dd7a55fd90af6cd
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0) authorize {
(0) [preprocess] = ok
==6105== Invalid read of size 1
==6105== at 0x4C2A884: memcpy (mc_replace_strmem.c:838)
==6105== by 0x5074815: pairstrncpy (in
/usr/lib/freeradius/libfreeradius-radius.so)
==6105== by 0x9BC9C68: mod_authorize (in /usr/lib/freeradius/rlm_yubikey.so)
==6105== by 0x41FEAD: modcall_recurse (in /usr/sbin/freeradius)
==6105== by 0x41F220: modcall_child (in /usr/sbin/freeradius)
==6105== by 0x41F3DD: modcall_recurse (in /usr/sbin/freeradius)
==6105== by 0x4204FC: modcall (in /usr/sbin/freeradius)
==6105== by 0x41DC02: indexed_modcall (in /usr/sbin/freeradius)
==6105== by 0x40F7D1: rad_authenticate (in /usr/sbin/freeradius)
==6105== by 0x42C742: request_running (in /usr/sbin/freeradius)
==6105== by 0x429DE4: request_queue_or_run (in /usr/sbin/freeradius)
==6105== by 0x42B006: request_receive (in /usr/sbin/freeradius)
==6105== Address 0xcd6471a is 106 bytes inside a block of size 140 free'd
==6105== at 0x4C27D4E: free (vg_replace_malloc.c:427)
==6105== by 0x5AED918: _talloc_free (in
/usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7)
==6105== by 0x5072E1B: pairstrsteal (in
/usr/lib/freeradius/libfreeradius-radius.so)
==6105== by 0x9BC9D09: mod_authorize (in /usr/lib/freeradius/rlm_yubikey.so)
==6105== by 0x41FEAD: modcall_recurse (in /usr/sbin/freeradius)
==6105== by 0x41F220: modcall_child (in /usr/sbin/freeradius)
==6105== by 0x41F3DD: modcall_recurse (in /usr/sbin/freeradius)
==6105== by 0x4204FC: modcall (in /usr/sbin/freeradius)
==6105== by 0x41DC02: indexed_modcall (in /usr/sbin/freeradius)
==6105== by 0x40F7D1: rad_authenticate (in /usr/sbin/freeradius)
==6105== by 0x42C742: request_running (in /usr/sbin/freeradius)
==6105== by 0x429DE4: request_queue_or_run (in /usr/sbin/freeradius)
==6105==
(0) [yubikey] = ok
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap : --> (uid=fes)
(0) ldap : EXPAND ou=People,dc=escaux,dc=com
(0) ldap : --> ou=People,dc=escaux,dc=com
(0) ldap : Performing search in 'ou=People,dc=escaux,dc=com' with
filter '(uid=fes)', scope 'sub'
(0) ldap : Waiting for search result...
(0) ldap : User object found at DN "uid=fes,ou=People,dc=escaux,dc=com"
(0) ldap : Processing user attributes
(0) ldap : control:Password-With-Header +=
''{CRYPT}$6$rounds=1000$czjqtQQw5Sx6BURM$67zg9ok5r8IVTQNcQkdx1Mbi5A75gbHgt5I3oI/Z038MPg8htLLswallK.ou/r914j/0Tkwyuf92ZHsVg1DTz.''
rlm_ldap (ldap): Released connection (4)
(0) [ldap] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) } # authorize = ok
(0) Found Auth-Type = yubikey
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Auth-Type yubikey {
rlm_yubikey (yubikey): Reserved connection (4)
(0) ERROR: yubikey : Server response signature was invalid
(BAD_SERVER_SIGNATURE)
rlm_yubikey (yubikey): Released connection (4)
(0) [yubikey] = fail
(0) } # Auth-Type yubikey = fail
(0) Failed to authenticate the user.
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject : EXPAND %{User-Name}
(0) attr_filter.access_reject : --> fes
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(0) [eap] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (reply:EAP-Message && reply:Reply-Message)
(0) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
Sending Access-Reject Id 160 from 127.0.0.1:1812 to 127.0.0.1:34487
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 160 with timestamp +16
Ready to process requests.
^CReady to process requests.
Signalled to terminate
Exiting normally.
rlm_ldap (ldap): Removing connection pool
rlm_ldap (ldap): Closing connection (4)
rlm_ldap (ldap): Closing connection (3)
rlm_ldap (ldap): Closing connection (2)
rlm_ldap (ldap): Closing connection (1)
rlm_ldap (ldap): Closing connection (0)
rlm_yubikey (yubikey): Removing connection pool
rlm_yubikey (yubikey): Closing connection (3)
rlm_yubikey (yubikey): Closing connection (2)
rlm_yubikey (yubikey): Closing connection (1)
rlm_yubikey (yubikey): Closing connection (0)
rlm_yubikey (yubikey): Closing connection (4)
==6105==
==6105== HEAP SUMMARY:
==6105== in use at exit: 48,749 bytes in 1,000 blocks
==6105== total heap usage: 57,844 allocs, 56,844 frees, 5,591,028
bytes allocated
==6105==
==6105== 17 bytes in 1 blocks are definitely lost in loss record 5 of 81
==6105== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==6105== by 0x8236594: ???
==6105== by 0x8236C61: ???
==6105== by 0x8009CF1: ???
==6105== by 0x800A233: ???
==6105== by 0x7FEFAAA: ???
==6105== by 0x7FEFE94: ???
==6105== by 0x7DD353A: ???
==6105== by 0x424B07: fr_connection_spawn (in /usr/sbin/freeradius)
==6105== by 0x425598: fr_connection_pool_init (in /usr/sbin/freeradius)
==6105== by 0x7DD057F: ???
==6105== by 0x41D83B: find_module_instance (in /usr/sbin/freeradius)
==6105==
==6105== 40 bytes in 1 blocks are definitely lost in loss record 42 of 81
==6105== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==6105== by 0x8236594: ???
==6105== by 0x8015B2C: ???
==6105== by 0x8922C62: ???
==6105== by 0x8922F24: ???
==6105== by 0x892095B: ???
==6105== by 0x8013CA5: ???
==6105== by 0x8013D7A: ???
==6105== by 0x800AF22: ???
==6105== by 0x7DD378C: ???
==6105== by 0x424B07: fr_connection_spawn (in /usr/sbin/freeradius)
==6105== by 0x425598: fr_connection_pool_init (in /usr/sbin/freeradius)
==6105==
==6105== 40 bytes in 1 blocks are definitely lost in loss record 43 of 81
==6105== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==6105== by 0x8236594: ???
==6105== by 0x8015B2C: ???
==6105== by 0x89295D8: ???
==6105== by 0x892987C: ???
==6105== by 0x892C51F: ???
==6105== by 0x8922C81: ???
==6105== by 0x8922F24: ???
==6105== by 0x892095B: ???
==6105== by 0x8013CA5: ???
==6105== by 0x8013D7A: ???
==6105== by 0x800AF22: ???
==6105==
==6105== 40 bytes in 1 blocks are definitely lost in loss record 44 of 81
==6105== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==6105== by 0x8236594: ???
==6105== by 0x8015B2C: ???
==6105== by 0x89295D8: ???
==6105== by 0x892987C: ???
==6105== by 0x893838F: ???
==6105== by 0x8922C8A: ???
==6105== by 0x8922F24: ???
==6105== by 0x892095B: ???
==6105== by 0x8013CA5: ???
==6105== by 0x8013D7A: ???
==6105== by 0x800AF22: ???
==6105==
==6105== 40 bytes in 1 blocks are definitely lost in loss record 45 of 81
==6105== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==6105== by 0x8236594: ???
==6105== by 0x8015B2C: ???
==6105== by 0x89295D8: ???
==6105== by 0x892987C: ???
==6105== by 0x893262F: ???
==6105== by 0x8922C96: ???
==6105== by 0x8922F24: ???
==6105== by 0x892095B: ???
==6105== by 0x8013CA5: ???
==6105== by 0x8013D7A: ???
==6105== by 0x800AF22: ???
==6105==
==6105== 40 bytes in 1 blocks are definitely lost in loss record 46 of 81
==6105== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==6105== by 0x8236594: ???
==6105== by 0x8015B2C: ???
==6105== by 0x8963969: ???
==6105== by 0x89639C8: ???
==6105== by 0x89649D4: ???
==6105== by 0x86F1BB2: ???
==6105== by 0x869CF28: ???
==6105== by 0x868C0E4: ???
==6105== by 0x8016DC7: ???
==6105== by 0x8013D7A: ???
==6105== by 0x800AF22: ???
==6105==
==6105== 40 bytes in 1 blocks are definitely lost in loss record 47 of 81
==6105== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==6105== by 0x8236594: ???
==6105== by 0x8015B2C: ???
==6105== by 0x8963979: ???
==6105== by 0x89639C8: ???
==6105== by 0x89649D4: ???
==6105== by 0x86F1BB2: ???
==6105== by 0x869CF28: ???
==6105== by 0x868C0E4: ???
==6105== by 0x8016DC7: ???
==6105== by 0x8013D7A: ???
==6105== by 0x800AF22: ???
==6105==
==6105== 120 (48 direct, 72 indirect) bytes in 1 blocks are definitely
lost in loss record 56 of 81
==6105== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==6105== by 0x8DABAA0: ???
==6105== by 0x8DAC35B: ???
==6105== by 0x8DAC569: ???
==6105== by 0x8DACCFB: ???
==6105== by 0x86A271D: ???
==6105== by 0x868C101: ???
==6105== by 0x8016DC7: ???
==6105== by 0x8013D7A: ???
==6105== by 0x800AF22: ???
==6105== by 0x7DD378C: ???
==6105== by 0x424B07: fr_connection_spawn (in /usr/sbin/freeradius)
==6105==
==6105== 120 (48 direct, 72 indirect) bytes in 1 blocks are definitely
lost in loss record 57 of 81
==6105== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==6105== by 0x8DABAA0: ???
==6105== by 0x8DAAA6D: ???
==6105== by 0x8DAB021: ???
==6105== by 0x8DAC657: ???
==6105== by 0x8DACCFB: ???
==6105== by 0x86A271D: ???
==6105== by 0x868C101: ???
==6105== by 0x8016DC7: ???
==6105== by 0x8013D7A: ???
==6105== by 0x800AF22: ???
==6105== by 0x7DD378C: ???
==6105==
==6105== 288 (48 direct, 240 indirect) bytes in 1 blocks are
definitely lost in loss record 63 of 81
==6105== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==6105== by 0x8922D14: ???
==6105== by 0x89239A8: ???
==6105== by 0x8927B3C: ???
==6105== by 0x892C79B: ???
==6105== by 0x893263E: ???
==6105== by 0x8922C96: ???
==6105== by 0x8922F24: ???
==6105== by 0x892095B: ???
==6105== by 0x8013CA5: ???
==6105== by 0x8013D7A: ???
==6105== by 0x800AF22: ???
==6105==
==6105== 337 (48 direct, 289 indirect) bytes in 1 blocks are
definitely lost in loss record 64 of 81
==6105== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==6105== by 0x8DABAA0: ???
==6105== by 0x8DAD6E0: ???
==6105== by 0x86A26C2: ???
==6105== by 0x868C101: ???
==6105== by 0x8016DC7: ???
==6105== by 0x8013D7A: ???
==6105== by 0x800AF22: ???
==6105== by 0x7DD378C: ???
==6105== by 0x424B07: fr_connection_spawn (in /usr/sbin/freeradius)
==6105== by 0x425598: fr_connection_pool_init (in /usr/sbin/freeradius)
==6105== by 0x7DD057F: ???
==6105==
==6105== 392 bytes in 1 blocks are definitely lost in loss record 65 of 81
==6105== at 0x4C28CCE: realloc (vg_replace_malloc.c:632)
==6105== by 0x868506D: ???
==6105== by 0x868C0EF: ???
==6105== by 0x8016DC7: ???
==6105== by 0x8013D7A: ???
==6105== by 0x800AF22: ???
==6105== by 0x7DD378C: ???
==6105== by 0x424B07: fr_connection_spawn (in /usr/sbin/freeradius)
==6105== by 0x425598: fr_connection_pool_init (in /usr/sbin/freeradius)
==6105== by 0x7DD057F: ???
==6105== by 0x41D83B: find_module_instance (in /usr/sbin/freeradius)
==6105== by 0x41E655: modules_init (in /usr/sbin/freeradius)
==6105==
==6105== 664 bytes in 1 blocks are definitely lost in loss record 68 of 81
==6105== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==6105== by 0x8922D14: ???
==6105== by 0x89239A8: ???
==6105== by 0x8923CEE: ???
==6105== by 0x8923E1E: ???
==6105== by 0x8963A04: ???
==6105== by 0x89649D4: ???
==6105== by 0x86F1BB2: ???
==6105== by 0x869CF28: ???
==6105== by 0x868C0E4: ???
==6105== by 0x8016DC7: ???
==6105== by 0x8013D7A: ???
==6105==
==6105== 664 bytes in 1 blocks are definitely lost in loss record 69 of 81
==6105== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==6105== by 0x8922D14: ???
==6105== by 0x89239A8: ???
==6105== by 0x8923CEE: ???
==6105== by 0x8923E1E: ???
==6105== by 0x8963A94: ???
==6105== by 0x89649D4: ???
==6105== by 0x86F1BB2: ???
==6105== by 0x869CF28: ???
==6105== by 0x868C0E4: ???
==6105== by 0x8016DC7: ???
==6105== by 0x8013D7A: ???
==6105==
==6105== 720 (48 direct, 672 indirect) bytes in 1 blocks are
definitely lost in loss record 71 of 81
==6105== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==6105== by 0x8922D14: ???
==6105== by 0x89239A8: ???
==6105== by 0x8927B3C: ???
==6105== by 0x8936DE3: ???
==6105== by 0x893839E: ???
==6105== by 0x8922C8A: ???
==6105== by 0x8922F24: ???
==6105== by 0x892095B: ???
==6105== by 0x8013CA5: ???
==6105== by 0x8013D7A: ???
==6105== by 0x800AF22: ???
==6105==
==6105== 864 (48 direct, 816 indirect) bytes in 1 blocks are
definitely lost in loss record 73 of 81
==6105== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==6105== by 0x8922D14: ???
==6105== by 0x89239A8: ???
==6105== by 0x8927B3C: ???
==6105== by 0x8929B24: ???
==6105== by 0x892C52E: ???
==6105== by 0x8922C81: ???
==6105== by 0x8922F24: ???
==6105== by 0x892095B: ???
==6105== by 0x8013CA5: ???
==6105== by 0x8013D7A: ???
==6105== by 0x800AF22: ???
==6105==
==6105== 4,452 (72 direct, 4,380 indirect) bytes in 1 blocks are
definitely lost in loss record 79 of 81
==6105== at 0x4C272B8: calloc (vg_replace_malloc.c:566)
==6105== by 0x8B9FD7E: ???
==6105== by 0x8BA120D: ???
==6105== by 0x868C03E: ???
==6105== by 0x8016DC7: ???
==6105== by 0x8013D7A: ???
==6105== by 0x800AF22: ???
==6105== by 0x7DD378C: ???
==6105== by 0x424B07: fr_connection_spawn (in /usr/sbin/freeradius)
==6105== by 0x425598: fr_connection_pool_init (in /usr/sbin/freeradius)
==6105== by 0x7DD057F: ???
==6105== by 0x41D83B: find_module_instance (in /usr/sbin/freeradius)
==6105==
==6105== 34,345 (72 direct, 34,273 indirect) bytes in 1 blocks are
definitely lost in loss record 81 of 81
==6105== at 0x4C272B8: calloc (vg_replace_malloc.c:566)
==6105== by 0x8B9FD7E: ???
==6105== by 0x8BA120D: ???
==6105== by 0x868C025: ???
==6105== by 0x8016DC7: ???
==6105== by 0x8013D7A: ???
==6105== by 0x800AF22: ???
==6105== by 0x7DD378C: ???
==6105== by 0x424B07: fr_connection_spawn (in /usr/sbin/freeradius)
==6105== by 0x425598: fr_connection_pool_init (in /usr/sbin/freeradius)
==6105== by 0x7DD057F: ???
==6105== by 0x41D83B: find_module_instance (in /usr/sbin/freeradius)
==6105==
==6105== LEAK SUMMARY:
==6105== definitely lost: 2,409 bytes in 18 blocks
==6105== indirectly lost: 40,814 bytes in 936 blocks
==6105== possibly lost: 0 bytes in 0 blocks
==6105== still reachable: 5,526 bytes in 46 blocks
==6105== suppressed: 0 bytes in 0 blocks
==6105== Reachable blocks (those to which a pointer was found) are not shown.
==6105== To see them, rerun with: --leak-check=full --show-reachable=yes
==6105==
==6105== For counts of detected and suppressed errors, rerun with: -v
==6105== ERROR SUMMARY: 30 errors from 19 contexts (suppressed: 149 from 8)
==6105== could not unlink /tmp/vgdb-pipe-from-vgdb-to-6105-by-root-on-???
==6105== could not unlink /tmp/vgdb-pipe-to-vgdb-from-6105-by-root-on-???
==6105== could not unlink /tmp/vgdb-pipe-shared-mem-vgdb-6105-by-root-on-???
Cheers,
Frederic
More information about the Freeradius-Users
mailing list