freeradius and yubikeys
Frederic Van Espen
frederic.ve at gmail.com
Sat May 10 18:01:49 CEST 2014
On Sat, May 10, 2014 at 2:44 PM, Arran Cudbard-Bell
<a.cudbardb at freeradius.org> wrote:
>> I don't believe the configuration was changed, and it was working on
>> 3.0.2 with the password and token splitting done in the vhost config.
>> I'll test later today with version 3.0.2 again to confirm.
>
> OK.
>
Confirmed, without even touching the rlm_yubikey config file and
simply downgrading the packages, authentication works fine. The API
key was not changed in the config files.
>
> Thanks.
>
> Hm, fixed that one issue, doubt it would of cause a validation error though.
>
> The rest of the output was false positives. The server just exits without
> attempting to cleanup unless you specify -m.
That's weird. I did start it like this: valgrind --leak-check=full
/usr/sbin/freeradius -Xx -m
> I've made it a bit more strict about starting up with invalid API keys, so if
> it's getting the config from where other than where you think it is, it'll
> refuse to start.
I took a few HTTP traces to compare the difference between 3.0.2 and
3.0.3. Here's the request for 3.0.2:
48.948991 172.16.35.65 -> 103.6.213.69 HTTP 293 GET
/wsapi/2.0/verify?id=<XXXXX>&nonce=rvepnyfmrllivnnlbuorqnpetedqwldn&otp=ccccccdbkebjdktflifkufelthvkbjucgfefkijlvrdc&h=V1HcnOhTiaW2mxs5Zgeg1VqFU5k%3D
HTTP/1.1
And here's one for 3.0.3:
0.033011 172.16.35.65 -> 109.74.193.72 HTTP 264 GET
/wsapi/2.0/verify?id=<XXXXX>&nonce=tughzbxuolnhvjqhyryljthvdkwwyjnu&otp=testingpassword&h=uJfyrooihrq7onQhW8coLiyWARE%3D
HTTP/1.1
Looks like we're sending the user's password instead of the OTP :-) I
guess that should be easy to fix?
Cheers,
Frederic
More information about the Freeradius-Users
mailing list