On Jul 1, 2021, at 11:10 AM, Jonathan C <raidenc@gmail.com> wrote:
It seems the 3.X version of freeradius doesn't know the output "ACCEPT" of the otpverify.sh script but I'm not sure and I don't know what i'm supposed to do to make it work like it's supposed to do.
See raddb/mods-available/exec and raddb/mods-available/echo for documentation on the exec scripts. In short, you can't just return random strings and have the server do magic things with the string.
Below the full output of debug :
FreeRADIUS Version 3.0.17
You should upgrade to the latest version. See http://packages.networkradius.com
# Loading module "motp" from file /etc/freeradius/3.0/radiusd.conf exec motp { wait = yes program = "/usr/sbin/otpverify.sh %{User-Name} %{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}" input_pairs = "request" output_pairs = "reply" shell_escape = yes }
Read the documentation. You've configured the module to read the output of the program, and expect to parse attributes. Then, those attributes are placed into the reply. You should probably also not put passwords onto the command-line. Other users on the same system may be able to read them.
... (0) motp: ERROR: Failed parsing output from: /usr/sbin/otpverify.sh %{User-Name} %{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}: Expecting operator
Exactly. It expects to read something like Framed-IP-Address := 1.2.3.4
(0) motp: ERROR: Program returned code (0) and output 'ACCEPT'
That's not an attribute, and it doesn't have an operator, and doesn't have a value. This never worked in v2, either. See modules/echo in v2. The documentation there is essentially the same as for v3. If you want the script to cause authentication to succeed or fail, then read the documentation, and have the script return an appropriate return code. Alan DeKok.