my first freeradius module
Hi, I'm kinda new to Freeradius and at the same time I'm learning it, I'm seeing I gonna need to develop a new module for it. This module will do OTP two way authentication. It will extract part of the password (ex.: latest 6 digits) to verify and the remaining "password" will be returned to Freeradius to test against another module (LDAP for example). In this module I need to store user information on some place, including usernames, keys, secrets, last OTP, offset, etc. I have some options: * Use some file like the "users" file from freeradius or a tabulated file. Read this file in memory and update user information in memory and in file when needed, so if Freeradius is restarted, or the machines crashes, the updated information is not lost. However I don't know exactly if I'm going to have problems with the "module needs to update file" part. Don't know how Freeradius's internal API/libs work with files. I'm trying to understand rlm_files.c but this module only reads the "users" file. * Use MySQL or Redis to store this information. As they support atomic operations I should have no problem using them. However I gonna need to link the module against some external lib and I fear this may bring Freeradius some problems, and I'll have another service to monitor, manage, etc. What do you suggest? Is there any other way to do this two way authentication without needing to develop a module for it? thanks in advance, Herbert
Hi,
I'm kinda new to Freeradius and at the same time I'm learning it, I'm seeing I gonna need to develop a new module for it.
This module will do OTP two way authentication. It will extract part of the password (ex.: latest 6 digits) to verify and the remaining "password" will be returned to Freeradius to test against another module (LDAP for example).
In this module I need to store user information on some place, including usernames, keys, secrets, last OTP, offset, etc.
Would you like freeradius act as a token? The principle of operation of OTP is to not store nothing, it just returns a temporary password based an some one-way algorithm, this temporary password is basically the result of PIN received from user. Look at this project, maybe it can help you. It´s works jointly with radius. http://motp.sourceforge.net/ Toledo
Hi Toledo, I'm glad to find you here! I'm going to use time based tokens that need to be in sync with the radius server's clock, and from time-to-time the module need to resync the token and store a time-offset information. That's why the module need to store information. Unfortunately the motp is not compatible with the token I'm going to use. Thanks anyway! On Sat, Mar 12, 2011 at 12:52, Toledo, Luis Carlos <lscrlstld@gmail.com>wrote:
Hi,
I'm kinda new to Freeradius and at the same time I'm learning it, I'm seeing I gonna need to develop a new module for it.
This module will do OTP two way authentication. It will extract part of the password (ex.: latest 6 digits) to verify and the remaining "password" will be returned to Freeradius to test against another module (LDAP for example).
In this module I need to store user information on some place, including usernames, keys, secrets, last OTP, offset, etc.
Would you like freeradius act as a token? The principle of operation of OTP is to not store nothing, it just returns a temporary password based an some one-way algorithm, this temporary password is basically the result of PIN received from user.
Look at this project, maybe it can help you. It´s works jointly with radius. http://motp.sourceforge.net/
Toledo
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
On Fri, Mar 11, 2011 at 06:13:45PM -0300, Herbert Fischer wrote:
This module will do OTP two way authentication. It will extract part of the password (ex.: latest 6 digits) to verify and the remaining "password" will be returned to Freeradius to test against another module (LDAP for example). ... What do you suggest? Is there any other way to do this two way authentication without needing to develop a module for it?
Have you looked in the src/modules directory? And you've seen that there's src/modules/rlm_otp already? If that does the OTP part in the way you need, then splitting the password into two is easy. if (User-Password =~ /^(......)(.*)$/) { update request { # The OTP password for rlm_otp to check User-Password = "%{1}" # The remainder to check against mysql or ldap Tmp-String-0 = "%{2}" } } ... continue See "man unlang" for the details. This won't work for CHAP-Challenge/CHAP-Password, obviously - only PAP. (rlm_otp appears to be undocumented, so if you want to update http://wiki.freeradius.org/Rlm_otp as you work with it, that would be a useful contribution) Otherwise, to make a completely custom module which links against an existing C library, you can start with rlm_example and borrow logic from other modules as required. But you're right, it's tricky to do properly. If that were necessary, I'd say you'd be better off using rlm_perl or rlm_python and writing the logic there. Regards, Brian.
Incidentally - what you describe sounds very much like RSA SecurID, where the user's passcode consists of a PIN (from database) plus 6 digits from the token. Are you actually trying to implement SecurID for freeradius? Because if you say so, someone might have a solution already. Other options I didn't mention: external exec script; PAM.
No, it's not RSA SecurID. It's a two factor auth. User Password + OTP. Thanks! On Sun, Mar 13, 2011 at 06:14, Brian Candler <B.Candler@pobox.com> wrote:
Incidentally - what you describe sounds very much like RSA SecurID, where the user's passcode consists of a PIN (from database) plus 6 digits from the token.
Are you actually trying to implement SecurID for freeradius? Because if you say so, someone might have a solution already.
Other options I didn't mention: external exec script; PAM. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Hi Brian, Yes, I've looked into rlm_otp already, however the token I'm going to use does not work with OTPd's algorithms. Anyway, thanks for the splitting code. I've tryed to do this before without success. I'll try your sample code. Your answer was very helphul. Thanks! On Sun, Mar 13, 2011 at 04:38, Brian Candler <B.Candler@pobox.com> wrote:
On Fri, Mar 11, 2011 at 06:13:45PM -0300, Herbert Fischer wrote:
This module will do OTP two way authentication. It will extract part of the password (ex.: latest 6 digits) to verify and the remaining "password" will be returned to Freeradius to test against another module (LDAP for example). ... What do you suggest? Is there any other way to do this two way authentication without needing to develop a module for it?
Have you looked in the src/modules directory? And you've seen that there's src/modules/rlm_otp already? If that does the OTP part in the way you need, then splitting the password into two is easy.
if (User-Password =~ /^(......)(.*)$/) { update request { # The OTP password for rlm_otp to check User-Password = "%{1}" # The remainder to check against mysql or ldap Tmp-String-0 = "%{2}" } } ... continue
See "man unlang" for the details. This won't work for CHAP-Challenge/CHAP-Password, obviously - only PAP.
(rlm_otp appears to be undocumented, so if you want to update http://wiki.freeradius.org/Rlm_otp as you work with it, that would be a useful contribution)
Otherwise, to make a completely custom module which links against an existing C library, you can start with rlm_example and borrow logic from other modules as required. But you're right, it's tricky to do properly.
If that were necessary, I'd say you'd be better off using rlm_perl or rlm_python and writing the logic there.
Regards,
Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
participants (3)
-
Brian Candler -
Herbert Fischer -
Toledo, Luis Carlos