<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><br>On 9 May 2014, at 11:14, Frederic Van Espen <<a href="mailto:frederic.ve@gmail.com">frederic.ve@gmail.com</a>> wrote:<br><br><blockquote type="cite">On Fri, May 9, 2014 at 9:11 AM, Arran Cudbard-Bell<br><<a href="mailto:a.cudbardb@freeradius.org">a.cudbardb@freeradius.org</a>> wrote:<br><blockquote type="cite">Which you'd get if you rolled your own packages, and hey you'd actually be<br>contributing something, because if you came across any defects, you might<br>actually be able to provide useful debugging info.<br></blockquote><br>I now have version 3.0.2 up and running with rlm_yubikey. For this<br>testing setup, I'm simply trying to validate to the public yubicloud<br>server using the validate mode.<br><br>When I was using the rlm_perl based module, I was able to enter a user<br>password, followed by the OTP token. The perl module extracted the OTP<br>and passed on the user password for further authentication (in my case<br>LDAP). Now when I use radtest like this:<br>root@obelix-clone:/usr/src# radtest fes<br>testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr 127.0.0.1<br>0 testing123<br>Sending Access-Request of id 85 from 0.0.0.0 port 56523 to 127.0.0.1 port 1812<br>User-Name = 'fes'<br>User-Password = 'testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr'<br>NAS-IP-Address = 172.16.35.65<br>NAS-Port = 0<br>Message-Authenticator = 0x00<br>rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=85, length=20<br><br><br>Here's the output of the server:<br>rad_recv: Access-Request packet from host 127.0.0.1 port 56523, id=85,<br>length=121<br>User-Name = 'fes'<br>User-Password = 'testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr'<br>NAS-IP-Address = 172.16.35.65<br>NAS-Port = 0<br>Message-Authenticator = 0xf4c430ea058e22ef07ef239f42b0270f<br>Fri May 9 11:52:20 2014 : Debug: (0) # Executing section authorize<br>from file /etc/freeradius/sites-enabled/default<br>Fri May 9 11:52:20 2014 : Debug: (0) authorize {<br>Fri May 9 11:52:20 2014 : Debug: (0) modsingle[authorize]: calling<br>preprocess (rlm_preprocess) for request 0<br>Fri May 9 11:52:20 2014 : Debug: (0) modsingle[authorize]: returned<br>from preprocess (rlm_preprocess) for request 0<br>Fri May 9 11:52:20 2014 : Debug: (0) [preprocess] = ok<br>Fri May 9 11:52:20 2014 : Debug: (0) modsingle[authorize]: calling<br>yubikey (rlm_yubikey) for request 0<br>Fri May 9 11:52:20 2014 : Debug: (0) yubikey : User-Password value is<br>not the correct length, expected 44, got 59<br></blockquote><div><br></div><div>^ Look at me, look at me, i'm the reason why it's not working, look at me look at me.</div><div><br><blockquote type="cite">Fri May 9 11:52:20 2014 : Debug: (0) modsingle[authorize]: returned<br>from yubikey (rlm_yubikey) for request 0<br>Fri May 9 11:52:20 2014 : Debug: (0) [yubikey] = noop<br>Fri May 9 11:52:20 2014 : Debug: (0) if (ok)<br>Fri May 9 11:52:20 2014 : Debug: (0) if (ok) -> FALSE<br><br>Do you know of any way to regain the behaviour of the rlm_perl based<br>module (user password AND OTP token for two factor authentication)?<br>Should I maybe handle that in the configuration?<br></blockquote><div><br></div>The scheme of concatenating the password with the token string is user defined.</div><div>The yubikey module checks you've performed the split correctly, by looking at</div><div>the length of the User-Password. It cannot split out the password + OTP token</div><div>for you as it does not know your concatenation scheme. The yubikey module </div><div>restricts you to straight concatenation with no separator, FreeRADIUS lets you</div><div>use any scheme.</div><div><br></div><div>If you're doing 2FA as a single round with password + OTP concatenation, you</div><div>need something like:</div><div><br></div><div>authorize {</div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><div># 44 is OTP len + ID Len</div><div>if (User-Password =~ /^(.*)([cbdefghijklnrtuv]{44})$/) {</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>update request {</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>User-Password = "%{2}"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>yubikey</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>if (ok) {</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>update request {</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>User-Password := "%{1}"</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>}<span class="Apple-tab-span" style="white-space:pre"> </span></div><div>}</div><div><insert modules to get control:Password-With-Header or control:*-Password, ldap, files etc...></div><div>pap</div></blockquote><div>}</div><div><br></div><div>If you look, that's almost exactly what the perl module does.</div><div><br></div><div>The above will work for normal PAP auth as well as Yubikey auth, as normal </div><div>passwords are never likely to be that long and consist of modhex chars.</div><div><br></div><div>AFAIK yubico don't authenticate passwords centrally, just the OTP codes.</div><div>If that's changed and the API allows the user's password to be sent in some</div><div>form I can take a look at updating the module, but I don't believe it has.</div><div><div><br></div><div>-Arran<br><div><br><div>Arran Cudbard-Bell <<a href="mailto:a.cudbardb@freeradius.org">a.cudbardb@freeradius.org</a>><br>FreeRADIUS Development Team<br><br>FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2<br></div><br></div></div></div></body></html>