On 9 May 2014, at 12:02, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 9 May 2014, at 11:14, Frederic Van Espen <frederic.ve@gmail.com> wrote:
On Fri, May 9, 2014 at 9:11 AM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
Which you'd get if you rolled your own packages, and hey you'd actually be contributing something, because if you came across any defects, you might actually be able to provide useful debugging info.
I now have version 3.0.2 up and running with rlm_yubikey. For this testing setup, I'm simply trying to validate to the public yubicloud server using the validate mode.
When I was using the rlm_perl based module, I was able to enter a user password, followed by the OTP token. The perl module extracted the OTP and passed on the user password for further authentication (in my case LDAP). Now when I use radtest like this: root@obelix-clone:/usr/src# radtest fes testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr 127.0.0.1 0 testing123 Sending Access-Request of id 85 from 0.0.0.0 port 56523 to 127.0.0.1 port 1812 User-Name = 'fes' User-Password = 'testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr' NAS-IP-Address = 172.16.35.65 NAS-Port = 0 Message-Authenticator = 0x00 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=85, length=20
Here's the output of the server: rad_recv: Access-Request packet from host 127.0.0.1 port 56523, id=85, length=121 User-Name = 'fes' User-Password = 'testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr' NAS-IP-Address = 172.16.35.65 NAS-Port = 0 Message-Authenticator = 0xf4c430ea058e22ef07ef239f42b0270f Fri May 9 11:52:20 2014 : Debug: (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default Fri May 9 11:52:20 2014 : Debug: (0) authorize { Fri May 9 11:52:20 2014 : Debug: (0) modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Fri May 9 11:52:20 2014 : Debug: (0) modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Fri May 9 11:52:20 2014 : Debug: (0) [preprocess] = ok Fri May 9 11:52:20 2014 : Debug: (0) modsingle[authorize]: calling yubikey (rlm_yubikey) for request 0 Fri May 9 11:52:20 2014 : Debug: (0) yubikey : User-Password value is not the correct length, expected 44, got 59
^ Look at me, look at me, i'm the reason why it's not working, look at me look at me.
Fri May 9 11:52:20 2014 : Debug: (0) modsingle[authorize]: returned from yubikey (rlm_yubikey) for request 0 Fri May 9 11:52:20 2014 : Debug: (0) [yubikey] = noop Fri May 9 11:52:20 2014 : Debug: (0) if (ok) Fri May 9 11:52:20 2014 : Debug: (0) if (ok) -> FALSE
Do you know of any way to regain the behaviour of the rlm_perl based module (user password AND OTP token for two factor authentication)? Should I maybe handle that in the configuration?
The scheme of concatenating the password with the token string is user defined. The yubikey module checks you've performed the split correctly, by looking at the length of the User-Password. It cannot split out the password + OTP token for you as it does not know your concatenation scheme. The yubikey module restricts you to straight concatenation with no separator, FreeRADIUS lets you use any scheme.
If you're doing 2FA as a single round with password + OTP concatenation, you need something like:
Oops. It's more like authorize { # 44 is OTP len + ID Len if (User-Password =~ /^(.*)([cbdefghijklnrtuv]{44})$/) { update request { User-Password = "%{2}" } yubikey.authenticate if (ok) { update request { User-Password := "%{1}" } } } <insert modules to get control:Password-With-Header or control:*-Password, ldap, files etc...> pap } Ok i'll see if I can fix the behaviour to be a little more sane. -Arran