On 9 May 2014, at 15:49, Frederic Van Espen <frederic.ve@gmail.com> wrote:

On Fri, May 9, 2014 at 3:52 PM, Arran Cudbard-Bell
<a.cudbardb@freeradius.org> wrote:
I've fixed it in v3.0.x HEAD (which will become 3.0.3 very soon) so that
it just works. If you could test it'd be very much appreciated :)

For your setup with LDAP and crypt, it'd be something like:
authorize {
       yubikey
       ldap
}

authenticate {
       Auth-Type yubikey {
               yubikey
               pap
       }
}

Alas, does not seem to work with the configuration you suggest :-(

Git pull... I haven't fixed anything, but i've added a format marker,
so it'll show where in the string it found the non modhex char.

It'll only show up with -Xx because of the policy we introduced about
not showing sensitive strings with -X, after a couple of accidental
postings of passwords to GitHub and the list.

I tested with your string and it came back fine, so i'm a little confused.
Here's my output (with -Xx).

Received Access-Request Id 50 from 127.0.0.1:54741 to 127.0.0.1:1812 length 91
  Code: 1
  Id: 50
  Length: 91
  Vector: d6f8b36def2807b39afba22805bd09f5
  Data: 01  05  66 6f 6f 
02  42  d9 dc 63 29 40 fb 89 6d 8d 9c 24 bf 8b 63 a4 dd 
e0 72 05 bb 58 38 ab 56 7c 40 ec d8 51 8e 98 49 
cd a9 e4 4e 76 1a 53 0c 14 67 29 a2 98 c4 8d ad 
1a ce 51 70 e8 bb 44 70 ed ae 8e ff c6 8d 1a 8a 
User-Name = 'foo'
User-Password = 'testingpasswordccccccdbkebjkgfkgdrvthntvckrnifbicgrdgrldigl'
Fri May  9 18:40:54 2014 : Debug: (0) # Executing section authorize from file /usr/local/freeradius/etc/raddb/sites-enabled/default
Fri May  9 18:40:54 2014 : Debug: (0)   authorize {
Fri May  9 18:40:54 2014 : Debug: (0)   modsingle[authorize]: calling yubikey (rlm_yubikey) for request 0
Fri May  9 18:40:54 2014 : Debug: (0) yubikey : request:Yubikey-OTP := 'ccccccdbkebjkgfkgdrvthntvckrnifbicgrdgrldigl'
Fri May  9 18:40:54 2014 : Debug: (0) yubikey : request:User-Password := 'testingpassword'
Fri May  9 18:40:54 2014 : Debug: (0)   modsingle[authorize]: returned from yubikey (rlm_yubikey) for request 0
Fri May  9 18:40:54 2014 : Debug: (0)   [yubikey] = ok

and your debug was was:

Fri May  9 16:41:15 2014 : Debug: (0) yubikey : User-Password (aes-block) value contains non modhex chars

Meaning it found a char outside of "cbdefghijklnrtuv" in the AES block portion, but were using the same
string, so I don't see how that works.

Relevant configuration files and debug output:
mods-enabled/yubikey:
yubikey {
 split = yes
 decrypt = no
 validate = yes
 validation {
   servers {
   }
   client_id = XXXXX
   api_key = 'OBSCURED'

Hmm I'll add the << secret >> stuff to api_key as well.

-Arran

Arran Cudbard-Bell <a.cudbardb@freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2