On Sat, May 10, 2014 at 2:44 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
I don't believe the configuration was changed, and it was working on 3.0.2 with the password and token splitting done in the vhost config. I'll test later today with version 3.0.2 again to confirm.
OK.
Confirmed, without even touching the rlm_yubikey config file and simply downgrading the packages, authentication works fine. The API key was not changed in the config files.
Thanks.
Hm, fixed that one issue, doubt it would of cause a validation error though.
The rest of the output was false positives. The server just exits without attempting to cleanup unless you specify -m.
That's weird. I did start it like this: valgrind --leak-check=full /usr/sbin/freeradius -Xx -m
I've made it a bit more strict about starting up with invalid API keys, so if it's getting the config from where other than where you think it is, it'll refuse to start.
I took a few HTTP traces to compare the difference between 3.0.2 and 3.0.3. Here's the request for 3.0.2: 48.948991 172.16.35.65 -> 103.6.213.69 HTTP 293 GET /wsapi/2.0/verify?id=<XXXXX>&nonce=rvepnyfmrllivnnlbuorqnpetedqwldn&otp=ccccccdbkebjdktflifkufelthvkbjucgfefkijlvrdc&h=V1HcnOhTiaW2mxs5Zgeg1VqFU5k%3D HTTP/1.1 And here's one for 3.0.3: 0.033011 172.16.35.65 -> 109.74.193.72 HTTP 264 GET /wsapi/2.0/verify?id=<XXXXX>&nonce=tughzbxuolnhvjqhyryljthvdkwwyjnu&otp=testingpassword&h=uJfyrooihrq7onQhW8coLiyWARE%3D HTTP/1.1 Looks like we're sending the user's password instead of the OTP :-) I guess that should be easy to fix? Cheers, Frederic