On 9 May 2014, at 11:14, Frederic Van Espen <frederic.ve@gmail.com> wrote:
On Fri, May 9, 2014 at 9:11 AM, Arran Cudbard-Bell
<a.cudbardb@freeradius.org> wrote:
Which you'd get if you rolled your own packages, and hey you'd actually be
contributing something, because if you came across any defects, you might
actually be able to provide useful debugging info.
I now have version 3.0.2 up and running with rlm_yubikey. For this
testing setup, I'm simply trying to validate to the public yubicloud
server using the validate mode.
When I was using the rlm_perl based module, I was able to enter a user
password, followed by the OTP token. The perl module extracted the OTP
and passed on the user password for further authentication (in my case
LDAP). Now when I use radtest like this:
root@obelix-clone:/usr/src# radtest fes
testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr 127.0.0.1
0 testing123
Sending Access-Request of id 85 from 0.0.0.0 port 56523 to 127.0.0.1 port 1812
User-Name = 'fes'
User-Password = 'testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr'
NAS-IP-Address = 172.16.35.65
NAS-Port = 0
Message-Authenticator = 0x00
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=85, length=20
Here's the output of the server:
rad_recv: Access-Request packet from host 127.0.0.1 port 56523, id=85,
length=121
User-Name = 'fes'
User-Password = 'testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr'
NAS-IP-Address = 172.16.35.65
NAS-Port = 0
Message-Authenticator = 0xf4c430ea058e22ef07ef239f42b0270f
Fri May 9 11:52:20 2014 : Debug: (0) # Executing section authorize
from file /etc/freeradius/sites-enabled/default
Fri May 9 11:52:20 2014 : Debug: (0) authorize {
Fri May 9 11:52:20 2014 : Debug: (0) modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
Fri May 9 11:52:20 2014 : Debug: (0) modsingle[authorize]: returned
from preprocess (rlm_preprocess) for request 0
Fri May 9 11:52:20 2014 : Debug: (0) [preprocess] = ok
Fri May 9 11:52:20 2014 : Debug: (0) modsingle[authorize]: calling
yubikey (rlm_yubikey) for request 0
Fri May 9 11:52:20 2014 : Debug: (0) yubikey : User-Password value is
not the correct length, expected 44, got 59
^ Look at me, look at me, i'm the reason why it's not working, look at me look at me.
Fri May 9 11:52:20 2014 : Debug: (0) modsingle[authorize]: returned
from yubikey (rlm_yubikey) for request 0
Fri May 9 11:52:20 2014 : Debug: (0) [yubikey] = noop
Fri May 9 11:52:20 2014 : Debug: (0) if (ok)
Fri May 9 11:52:20 2014 : Debug: (0) if (ok) -> FALSE
Do you know of any way to regain the behaviour of the rlm_perl based
module (user password AND OTP token for two factor authentication)?
Should I maybe handle that in the configuration?
The scheme of concatenating the password with the token string is user defined.
The yubikey module checks you've performed the split correctly, by looking at
the length of the User-Password. It cannot split out the password + OTP token
for you as it does not know your concatenation scheme. The yubikey module
restricts you to straight concatenation with no separator, FreeRADIUS lets you
use any scheme.
If you're doing 2FA as a single round with password + OTP concatenation, you
need something like:
authorize {
# 44 is OTP len + ID Len
if (User-Password =~ /^(.*)([cbdefghijklnrtuv]{44})$/) {
update request {
User-Password = "%{2}"
}
yubikey
if (ok) {
update request {
User-Password := "%{1}"
}
}
}
<insert modules to get control:Password-With-Header or control:*-Password, ldap, files etc...>
pap
}
If you look, that's almost exactly what the perl module does.
The above will work for normal PAP auth as well as Yubikey auth, as normal
passwords are never likely to be that long and consist of modhex chars.
AFAIK yubico don't authenticate passwords centrally, just the OTP codes.
If that's changed and the API allows the user's password to be sent in some
form I can take a look at updating the module, but I don't believe it has.