Any One-Time password system.
Hello. I am new here. And my first message concerns One-Time password authentication. I have a problem with installing rlm_smsotp + http://wiki.freeradius.org/modules/Rlm_smsotp. I am always getting an error "/var/run/smsotp_socket No such file or directory". I am sure that smsotp_socket exists and has appropiate permission (i even tryed to run freeradius with root privileges). After some researches i conclude that the problem is in rlm_smsotp module. I cann`t find any other couse of the problem. Breaf information about my system and soft versions. FreeBSD 9.1 FreeRADIUS 2.2.0 log============================================================ rad_recv: Access-Request packet from host 172.16.17.0 port 1645, id=79, length=64 Framed-Protocol = PPP User-Name = "test_user" User-Password = "test_pass" Service-Type = Framed-User NAS-IP-Address = 172.16.17.0 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Packet-Src-IP-Address} -> 172.16.17.0 [auth_log] expand: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radacct/172.16.17.0/auth-detail-20130513 [auth_log] /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/172.16.17.0/auth-detail-20130513 [auth_log] expand: %t -> Mon May 13 16:51:36 2013 ++[auth_log] returns ok ++[smsotp] returns ok [suffix] No '@' in User-Name = "test_user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [sql] expand: %{User-Name} -> test_user [sql] sql_set_user escaped user --> 'test_user' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test_user' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test_user' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test_user' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Everyone' ORDER BY id [sql] User found in group Everyone [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Everyone' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = smsotp # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group smsotp {...} [pap] login attempt with password "test_pass" [pap] Using clear text password "test_pass" [pap] User authenticated successfully ++[pap] returns ok rlm_smsotp: smsotp_connect: connect(/var/run/smsotp_socket): No such file or directory ++[smsotp] returns fail Failed to authenticate the user. Login incorrect: [test_user/test_pass] (from client DMcore port 0) Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test_user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 79 to 172.16.17.0 port 1645 Waking up in 4.9 seconds. Cleaning up request 0 ID 79 with timestamp +11 Ready to process requests. Can anybody advise me simple way of implementation OTP with freeradius2 and daloradius as a frontend? Or maybe there is a solution for rlm_smsotp/ Thank you. -- ------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
On Mon, May 13, 2013 at 8:58 PM, Sergii Bieliaievskyi < s.bieliaievskyi@sethq.com> wrote:
Hello.
I am new here. And my first message concerns One-Time password authentication. I have a problem with installing rlm_smsotp + http://wiki.freeradius.org/modules/Rlm_smsotp. I am always getting an error "/var/run/smsotp_socket No such file or directory". I am sure that smsotp_socket exists and has appropiate permission (i even tryed to run freeradius with root privileges). After some researches i conclude that the problem is in rlm_smsotp module.
Really?
I cann`t find any other couse of the problem.
I don't use rlm_smsotp, but reading the wiki page, you're supposed to have smsotpd running. Do you? -- Fajar
As I sad before I am sure that smsotp_socket exists and has appropiate permission. So smsotpd is running. There are 2 different variant of running smsotpd. 1) smsotpd.pl 2) binary file. I made some efforts to compile them under FreeBSD. Any other guessing? May be somebody can advise more systems like smsotpd. 2013/5/13 Fajar A. Nugraha <list@fajar.net>
On Mon, May 13, 2013 at 8:58 PM, Sergii Bieliaievskyi < s.bieliaievskyi@sethq.com> wrote:
Hello.
I am new here. And my first message concerns One-Time password authentication. I have a problem with installing rlm_smsotp + http://wiki.freeradius.org/modules/Rlm_smsotp. I am always getting an error "/var/run/smsotp_socket No such file or directory". I am sure that smsotp_socket exists and has appropiate permission (i even tryed to run freeradius with root privileges). After some researches i conclude that the problem is in rlm_smsotp module.
Really?
I cann`t find any other couse of the problem.
I don't use rlm_smsotp, but reading the wiki page, you're supposed to have smsotpd running. Do you?
-- Fajar
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
On Tue, May 14, 2013 at 1:06 PM, Sergii Bieliaievskyi < s.bieliaievskyi@sethq.com> wrote:
As I sad before I am sure that smsotp_socket exists and has appropiate permission. So smsotpd is running. There are 2 different variant of running smsotpd. 1) smsotpd.pl 2) binary file. I made some efforts to compile them under FreeBSD.
Any other guessing?
Selinux? If you're on RH-based distros, it's a good idea to set them off for testing. Also, try using something like "nc -U /var/run/smsotp_socket" as the user FR is running (you might need to change it's shell to /bin/bash first) to make sure you have no permission problems. -- Fajar
:) I am using FreeBSD distro. People! Help me please. I will take into consideration any suggestion concern OTP, any open source project, just anything..... 2013/5/14 Fajar A. Nugraha <list@fajar.net>
On Tue, May 14, 2013 at 1:06 PM, Sergii Bieliaievskyi < s.bieliaievskyi@sethq.com> wrote:
As I sad before I am sure that smsotp_socket exists and has appropiate permission. So smsotpd is running. There are 2 different variant of running smsotpd. 1) smsotpd.pl 2) binary file. I made some efforts to compile them under FreeBSD.
Any other guessing?
Selinux? If you're on RH-based distros, it's a good idea to set them off for testing.
Also, try using something like "nc -U /var/run/smsotp_socket" as the user FR is running (you might need to change it's shell to /bin/bash first) to make sure you have no permission problems.
-- Fajar
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
On Tue, May 14, 2013 at 1:53 PM, Sergii Bieliaievskyi < s.bieliaievskyi@sethq.com> wrote:
:) I am using FreeBSD distro.
Ouch, wonder how I could missed that :P
People! Help me please. I will take into consideration any suggestion concern OTP, any open source project, just anything.....
does "nc" work? If not, something's probably wrong in permissions. Otherwise, your best bet is probably to contact Thomas Glanzmann directly. -- Fajar
Am Dienstag, 14. Mai 2013, 09:53:30 schrieb Sergii Bieliaievskyi:
:) I am using FreeBSD distro.
People! Help me please. I will take into consideration any suggestion concern OTP, any open source project, just anything.....
I tried motp. Works nice. You can install the otp generator on your smartphone. See: http://sys4.de/en/blog/2013/03/16/otp-freeradius/ -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
I am reading about MOTP and realy hope to implement its in my network. Could I count on your help if i will have a difficulties? Thanks in advance 2013/5/14 Michael Schwartzkopff <ms@sys4.de>
**
Am Dienstag, 14. Mai 2013, 09:53:30 schrieb Sergii Bieliaievskyi:
:) I am using FreeBSD distro.
People! Help me please. I will take into consideration any suggestion
concern OTP, any open source project, just anything.....
I tried motp. Works nice. You can install the otp generator on your
smartphone. See:
http://sys4.de/en/blog/2013/03/16/otp-freeradius/
--
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
I'm the current project lead for the MOTP-AS project [1], so I'm happy to help with anything relating to that project (off this list, unless it's directly FR related) :) [1] https://github.com/MOTP-AS/MOTP-AS -- Jon "The Nice Guy" Spriggs On 14 May 2013 08:26, Sergii Bieliaievskyi <s.bieliaievskyi@sethq.com>wrote:
I am reading about MOTP and realy hope to implement its in my network. Could I count on your help if i will have a difficulties?
Thanks in advance
2013/5/14 Michael Schwartzkopff <ms@sys4.de>
**
Am Dienstag, 14. Mai 2013, 09:53:30 schrieb Sergii Bieliaievskyi:
:) I am using FreeBSD distro.
People! Help me please. I will take into consideration any suggestion
concern OTP, any open source project, just anything.....
I tried motp. Works nice. You can install the otp generator on your
smartphone. See:
http://sys4.de/en/blog/2013/03/16/otp-freeradius/
--
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged.
If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited.
If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I am so sorry. May be i should take a look on MOTP-AS more deeply 2013/5/14 Jon Spriggs <jon@sprig.gs>
I'm the current project lead for the MOTP-AS project [1], so I'm happy to help with anything relating to that project (off this list, unless it's directly FR related) :)
[1] https://github.com/MOTP-AS/MOTP-AS
-- Jon "The Nice Guy" Spriggs
On 14 May 2013 08:26, Sergii Bieliaievskyi <s.bieliaievskyi@sethq.com>wrote:
I am reading about MOTP and realy hope to implement its in my network. Could I count on your help if i will have a difficulties?
Thanks in advance
2013/5/14 Michael Schwartzkopff <ms@sys4.de>
**
Am Dienstag, 14. Mai 2013, 09:53:30 schrieb Sergii Bieliaievskyi:
:) I am using FreeBSD distro.
People! Help me please. I will take into consideration any suggestion
concern OTP, any open source project, just anything.....
I tried motp. Works nice. You can install the otp generator on your
smartphone. See:
http://sys4.de/en/blog/2013/03/16/otp-freeradius/
--
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged.
If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited.
If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
Am Dienstag, 14. Mai 2013, 10:26:17 schrieb Sergii Bieliaievskyi:
I am reading about MOTP and realy hope to implement its in my network. Could I count on your help if i will have a difficulties?
Of course. That is what the mailing list exists for. On the other hand I earn my money with consulting ;-) Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Hi Sergii, if one day you not only would want to use motp but also other token types like HOTP, TOTP, SMS or OCRA tokens, you might want to take a look at LinOTP (http://linotp.org), which also integrates well with FreeRADIUS. OK, to be honest we try to make our living selling licenses and support for an enterprise version of the open source LinOTP solution. Of course the AGPL licensed LinOTP can be used free of charge. Kind regards Cornelius Am 14.05.2013 20:40, schrieb Michael Schwartzkopff:
Am Dienstag, 14. Mai 2013, 10:26:17 schrieb Sergii Bieliaievskyi:
I am reading about MOTP and realy hope to implement its in my network.
Could I count on your help if i will have a difficulties?
Of course. That is what the mailing list exists for.
On the other hand I earn my money with consulting ;-)
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Cornelius Kölbel (Head of Product Management) http://www.lsexperts.de LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt Tel: +49 6151 86086-252, Fax: -299, Mobil: +49 160 96307089 Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649 Geschaeftsfuehrer: Oliver Michel, Sven Walther, Dr. Peter Schill
2013/5/14 Michael Schwartzkopff <ms@sys4.de>
**
I tried motp. Works nice. You can install the otp generator on your
smartphone. See:
http://sys4.de/en/blog/2013/03/16/otp-freeradius/
What type of authorization do you use(PAP CHAP MS-CHAP) for OTP?
-- ------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
MOTP-AS uses plain-text credentials right now, but I'm still integrating myself properly into the project, and I've not really experimented with any other modes. -- Jon "The Nice Guy" Spriggs On 14 May 2013 15:49, Sergii Bieliaievskyi <s.bieliaievskyi@sethq.com>wrote:
2013/5/14 Michael Schwartzkopff <ms@sys4.de>
**
I tried motp. Works nice. You can install the otp generator on your
smartphone. See:
http://sys4.de/en/blog/2013/03/16/otp-freeradius/
What type of authorization do you use(PAP CHAP MS-CHAP) for OTP?
------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged.
If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited.
If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to use OTP with ms-chap authorization? Because any other methods don`t support encryption for example MPPE. With PAP OTP works fine but with ms-chap cann`t authenticate. 2013/5/14 Jon Spriggs <jon@sprig.gs>
MOTP-AS uses plain-text credentials right now, but I'm still integrating myself properly into the project, and I've not really experimented with any other modes.
-- Jon "The Nice Guy" Spriggs
On 14 May 2013 15:49, Sergii Bieliaievskyi <s.bieliaievskyi@sethq.com>wrote:
2013/5/14 Michael Schwartzkopff <ms@sys4.de>
**
I tried motp. Works nice. You can install the otp generator on your
smartphone. See:
http://sys4.de/en/blog/2013/03/16/otp-freeradius/
What type of authorization do you use(PAP CHAP MS-CHAP) for OTP?
------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged.
If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited.
If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
This is so frustrating :( How it can be possible to do strong security using reliable passwords and to have no encryption in the same time. 2013/5/16 Thomas Glanzmann <thomas@glanzmann.de>
Hello Sergii,
Is it possible to use OTP with ms-chap authorization?
no, it is _not_.
Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
Sergii Bieliaievskyi wrote:
This is so frustrating :( How it can be possible to do strong security using reliable passwords and to have no encryption in the same time.
I think you misunderstand the issues. OTP passwords were created so that it doesn't *require* that the password be hidden. Systems like MSCHAP were created so that the passwords could be used many times, because they're hashed. The two systems are *designed* to be incompatible. Alan DeKok.
2013/5/16 Alan DeKok <aland@deployingradius.com>
Sergii Bieliaievskyi wrote:
This is so frustrating :( How it can be possible to do strong security using reliable passwords and to have no encryption in the same time.
I think you misunderstand the issues.
OTP passwords were created so that it doesn't *require* that the password be hidden.
Systems like MSCHAP were created so that the passwords could be used many times, because they're hashed.
The two systems are *designed* to be incompatible.
But only ms-chap supports data encryption. I want to use OTP and MPPE simulteniosly. But MPPE without ms-chap cann`t exist. Am I right? -- ------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
I want to change my security strategy. It would be better to user two step verification by google. There is google-authenticator (http://code.google.com/p/google-authenticator/) but it checks users in local database /etc/passwd and so on. How should I synchronize my unix box with corporate google account database? Does anybody have such an experience? 2013/5/16 Sergii Bieliaievskyi <s.bieliaievskyi@sethq.com>
2013/5/16 Alan DeKok <aland@deployingradius.com>
Sergii Bieliaievskyi wrote:
This is so frustrating :( How it can be possible to do strong security using reliable passwords and to have no encryption in the same time.
I think you misunderstand the issues.
OTP passwords were created so that it doesn't *require* that the password be hidden.
Systems like MSCHAP were created so that the passwords could be used many times, because they're hashed.
The two systems are *designed* to be incompatible.
But only ms-chap supports data encryption. I want to use OTP and MPPE simulteniosly. But MPPE without ms-chap cann`t exist. Am I right?
-- ------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
Sergii Bieliaievskyi wrote:
I want to change my security strategy.
I think you're taking the wrong approach. You don't get security by using a bunch of "security" software. You get security by understanding the risks, and working to minimize them.
It would be better to user two step verification by google. There is google-authenticator (http://code.google.com/p/google-authenticator/) but it checks users in local database /etc/passwd and so on. How should I synchronize my unix box with corporate google account database? Does anybody have such an experience?
I doubt it. And you'll probably run into timeouts. Users will take a long time to do two-step authentication. By the time they're done, the NAS will often give up on the authentication request. Your system will be so secure that no one will be able to log in. Alan DeKok.
2013/5/16 Alan DeKok <aland@deployingradius.com>
Sergii Bieliaievskyi wrote:
But only ms-chap supports data encryption. I want to use OTP and MPPE simulteniosly. But MPPE without ms-chap cann`t exist. Am I right?
Yes.
So.... OTP is useless I donn`t need system with strong password and unencrypted data transfer.
-- ------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
On 16 May 2013, at 09:27, Sergii Bieliaievskyi <s.bieliaievskyi@sethq.com> wrote:
2013/5/16 Alan DeKok <aland@deployingradius.com> Sergii Bieliaievskyi wrote:
This is so frustrating :( How it can be possible to do strong security using reliable passwords and to have no encryption in the same time.
I think you misunderstand the issues.
OTP passwords were created so that it doesn't *require* that the password be hidden.
Systems like MSCHAP were created so that the passwords could be used many times, because they're hashed.
The two systems are *designed* to be incompatible.
But only ms-chap supports data encryption. I want to use OTP and MPPE simulteniosly. But MPPE without ms-chap cann`t exist. Am I right?
What are you actually trying to use this with? 802.1X/WPA2-Enterprise or for VPN authentication. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
2013/5/16 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
What are you actually trying to use this with?
802.1X/WPA2-Enterprise or for VPN authentication.
VPN authentication. And it should be multiplatform VPN. PPTP is supported by almost every vendors. I can establish PPTP connection from iPhone, Android,Linux, MacOS.... and so on That`s why PPTP is preferable. -- ------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
PPTP is broken [1]. OpenVPN (for which there are clients for Android, iPhone, MacOS, Linux, Windows) is not. OpenVPN will use TLS certificates as well as other centrally managed authentication based systems (e.g. Radius, MOTP, maybe Google Authenticator?) to authenticate and authorize. There are lots and lots and lots of postings online discussing how to do these. [1] https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ also http://www.h-online.com/security/features/A-death-blow-for-PPTP-1716768.html... many others. -- Jon "The Nice Guy" Spriggs On 16 May 2013 15:41, Sergii Bieliaievskyi <s.bieliaievskyi@sethq.com>wrote:
2013/5/16 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
What are you actually trying to use this with?
802.1X/WPA2-Enterprise or for VPN authentication.
VPN authentication. And it should be multiplatform VPN. PPTP is supported by almost every vendors. I can establish PPTP connection from iPhone, Android,Linux, MacOS.... and so on That`s why PPTP is preferable.
------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged.
If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited.
If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 16/05/13 14:27, Sergii Bieliaievskyi wrote:
2013/5/16 Alan DeKok <aland@deployingradius.com <mailto:aland@deployingradius.com>>
Sergii Bieliaievskyi wrote: > This is so frustrating :( > How it can be possible to do strong security using reliable passwords > and to have no encryption in the same time.
I think you misunderstand the issues.
OTP passwords were created so that it doesn't *require* that the password be hidden.
Systems like MSCHAP were created so that the passwords could be used many times, because they're hashed.
The two systems are *designed* to be incompatible.
But only ms-chap supports data encryption. I want to use OTP and MPPE simulteniosly. But MPPE without ms-chap cann`t exist. Am I right?
No. MPPE requires encryption keys. These can be generated by whatever auth method. If you use plain MSCHAP, MSCHAP generates them. If you use PEAP/MSCHAP, PEAP generates them - the MSCHAP MPPE keys are thrown away, and not used. If you use PEAP/GTC, again PEAP generates the MPPE keys. If you use TTLS/PAP, TTLS generates the MPPE keys.
2013/5/16 Phil Mayers <p.mayers@imperial.ac.uk>
No.
MPPE requires encryption keys. These can be generated by whatever auth method.
If you use plain MSCHAP, MSCHAP generates them.
Can you provide more information how can i do that? Or where can i read about that? Thnx. -- ------------------------------ PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
On 16/05/13 15:45, Sergii Bieliaievskyi wrote:
2013/5/16 Phil Mayers <p.mayers@imperial.ac.uk <mailto:p.mayers@imperial.ac.uk>>
No.
MPPE requires encryption keys. These can be generated by whatever auth method.
If you use plain MSCHAP, MSCHAP generates them.
Can you provide more information how can i do that? Or where can i read about that?
I apologise - I misunderstood what you were doing. If you're using plain MSCHAP for PPTP and want to combine this with OTP, it's probably impossible.
On Thu, May 16, 2013 at 11:18 AM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 16/05/13 15:45, Sergii Bieliaievskyi wrote:
2013/5/16 Phil Mayers <p.mayers@imperial.ac.uk <mailto:p.mayers@imperial.ac.**uk <p.mayers@imperial.ac.uk>>>
No.
MPPE requires encryption keys. These can be generated by whatever auth method.
If you use plain MSCHAP, MSCHAP generates them.
Can you provide more information how can i do that? Or where can i read about that?
I apologise - I misunderstood what you were doing.
If you're using plain MSCHAP for PPTP and want to combine this with OTP, it's probably impossible.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Hmm. I did a test integration with our two-factor authentication server and poptop: http://www.howtoforge.com/security-issues-and-poptop-pptp. It worked, but I agree that PPTP is beyond busted. OpenVPN is a much better choice. It is also super simple to integrate via PAM: http://www.wikidsystems.com/support/wikid-support-center/how-to/using-wikid-... . Those examples use our Enterprise edition which supports radius (via a 3rd party, licensed module). I would love it if someone would do a freeradius module using our API: http://www.wikidsystems.com/downloads/network-clients. We have a python package. nick
On 16/05/13 13:44, Sergii Bieliaievskyi wrote:
This is so frustrating :( How it can be possible to do strong security using reliable passwords and to have no encryption in the same time.
Because the protocols are old, and badly designed, but are widely deployed because the vendor (Microsoft) has monopoly power.
Hello Sergii, don't use the C daemon it has to many moving parts. I later wrote a perl module which is easy to use. See: http://thomas.glanzmann.de/smsotpd.2012-10-05.tar.bz2 Follow the instructions in smsotpd.2012-10-05/rlm_perl/README If you have any further questions, let me know, but this should get you started quick. To my knowledge freeradius 3.0 does now everything to do smsotp natively, but I never took the time to try it. The above solution is running in production for 3000 users. In the tar ball is also a smsotp test client. Cheers, Thomas
participants (10)
-
Alan DeKok -
Arran Cudbard-Bell -
Cornelius Kölbel -
Fajar A. Nugraha -
Jon Spriggs -
Michael Schwartzkopff -
Nick Owen -
Phil Mayers -
Sergii Bieliaievskyi -
Thomas Glanzmann