On 10 May 2014, at 00:04, Frederic Van Espen <frederic.ve@gmail.com> wrote:
On Fri, May 9, 2014 at 9:45 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
Git pull... I haven't fixed anything, but i've added a format marker, so it'll show where in the string it found the non modhex char.
It'll only show up with -Xx because of the policy we introduced about not showing sensitive strings with -X, after a couple of accidental postings of passwords to GitHub and the list.
I tested with your string and it came back fine, so i'm a little confused. Here's my output (with -Xx).
Received Access-Request Id 50 from 127.0.0.1:54741 to 127.0.0.1:1812 length 91 Code: 1 Id: 50 Length: 91 Vector: d6f8b36def2807b39afba22805bd09f5 Data: 01 05 66 6f 6f 02 42 d9 dc 63 29 40 fb 89 6d 8d 9c 24 bf 8b 63 a4 dd e0 72 05 bb 58 38 ab 56 7c 40 ec d8 51 8e 98 49 cd a9 e4 4e 76 1a 53 0c 14 67 29 a2 98 c4 8d ad 1a ce 51 70 e8 bb 44 70 ed ae 8e ff c6 8d 1a 8a User-Name = 'foo' User-Password = 'testingpasswordccccccdbkebjkgfkgdrvthntvckrnifbicgrdgrldigl' Fri May 9 18:40:54 2014 : Debug: (0) # Executing section authorize from file /usr/local/freeradius/etc/raddb/sites-enabled/default Fri May 9 18:40:54 2014 : Debug: (0) authorize { Fri May 9 18:40:54 2014 : Debug: (0) modsingle[authorize]: calling yubikey (rlm_yubikey) for request 0 Fri May 9 18:40:54 2014 : Debug: (0) yubikey : request:Yubikey-OTP := 'ccccccdbkebjkgfkgdrvthntvckrnifbicgrdgrldigl' Fri May 9 18:40:54 2014 : Debug: (0) yubikey : request:User-Password := 'testingpassword' Fri May 9 18:40:54 2014 : Debug: (0) modsingle[authorize]: returned from yubikey (rlm_yubikey) for request 0 Fri May 9 18:40:54 2014 : Debug: (0) [yubikey] = ok
and your debug was was:
Fri May 9 16:41:15 2014 : Debug: (0) yubikey : User-Password (aes-block) value contains non modhex chars
Meaning it found a char outside of "cbdefghijklnrtuv" in the AES block portion, but were using the same string, so I don't see how that works.
Are you sure you did not change anything else?
Ah, yes, I accidentally fixed it. https://github.com/FreeRADIUS/freeradius-server/commit/34dd540de3ac66c659e3d... Was reading len bytes, should of only been 44 :)
Output is different this time and I'm doing the same thing with the same config. I'm starting it by running "freeradius -Xx" as you suggested. Looks like the authorize section worked correctly (it set Auth-Type to yubikey), but then authentication part fails (BAD_SERVER_SIGNATURE):
Hm, that apparently means that the API key was incorrect. Double check the config? or valgrind --leak-check=full <path to freeradius> <args> -m I guess it could be memory corruption... I can have a look on Monday if it's still not working. I just don't have my yubikey token at home. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2