Exercising Challenge/Response code path in pam client?
rcp at sentientmeat.ca
Sat Sep 24 15:43:02 CEST 2016
On Fri, Sep 23, 2016 at 8:46 PM, Alan DeKok <aland at deployingradius.com> wrote:
> On Sep 23, 2016, at 3:40 PM, Richard Perrin <rcp at sentientmeat.ca> wrote:
>> Which of the existing methods would you select for least friction in
> You can't just pick something and implement it. You need *reasons* to implement challenge-response. If you don't have reasons, you don't need it.
My reason is that I'm integrating the pam-radius-auth client into a
product and need to verify the full client functionality. I need to
create a lasting test-bed that simulates a target deployment that
would be using Challenge/Response authentication. I'm familiar with
configuring and implementing PAM modules, but this is the first time I
haven't had a pre-deployed RADIUS server to test against. So, I'm
setting freeradius server up and configuring it for the first time.
Thus, I'll re-iterate my original request:
I'm seeking a simple as possible config for freeradius server (now
version 3.0.11) that would allow me to exercise the Challenge/Response
path in the pam client (packaged on Ubuntu 14.04 as
An additional detail is that I'm using the radius pam module for the
login and ssh services.
I looked at the rlm_otp module, but found the otpd codebase is
dormant. rlm_eap may be where I end up, but the breadth of options
there seems like I'll spend a lot of time figuring out the
configuration. rlm_yubikey, rlm_securid, and rlm_smsotp require
devices or infrastructure I don't currently have, but could obtain if
warranted. Of the other modules that grep for CHALLENGE,
rlm_preprocess, rlm_example, rlm_replicate don't seem suitable. So
rlm_cram, rlm_mschap, rlm_chap or rlm_eap seem like the best
candidates. EAP has documentation, which the others lack.
Is there one that seems like the winner for ease of configuration for
More information about the Freeradius-Users