On Fri, May 9, 2014 at 1:02 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
The scheme of concatenating the password with the token string is user defined. The yubikey module checks you've performed the split correctly, by looking at the length of the User-Password. It cannot split out the password + OTP token for you as it does not know your concatenation scheme. The yubikey module restricts you to straight concatenation with no separator, FreeRADIUS lets you use any scheme.
Makes sense. Thanks for the clarification!
If you're doing 2FA as a single round with password + OTP concatenation, you need something like:
authorize {
# 44 is OTP len + ID Len if (User-Password =~ /^(.*)([cbdefghijklnrtuv]{44})$/) { update request { User-Password = "%{2}" } yubikey if (ok) { update request { User-Password := "%{1}" } } } <insert modules to get control:Password-With-Header or control:*-Password, ldap, files etc...> pap
}
I'm still missing something here. It looks like the authorize section of rlm_yubikey always returns OK, regardless whether the OTP token was used or not. Only when I call the yubikey module in the authentice section is it really contacting the yubicloud servers and verifying the OTP. But then I always get authenticated without supplying the user password. Hence my next question, can I use 2 Auth-Type's in the authenticate section? Or is that exactly what you mean by <insert modules to get control:Password-With-Header or control:*-Password, ldap, files etc...> in your previous mail? Thanks, Frederic