freeradius using pam_oath doesn't return otp challenge
Hi. I'd like to have freeradius authenticate users using their password (for simplicity I'm using /etc/shadow now) and TOTP through liboath. I was hoping to use freeradius to centralize this. PAM looked like the easiest way. I'm using freeradius 2.1.12 from debian wheezy. PAM confiuration is simple: auth required pam_unix.so nullok_secure auth requisite pam_oath.so usersfile=/etc/users.oath debug On the testing machine runnning freeradius this works great for su: <root|lex>[pam.d]# su Password: [pam_oath.c:parse_cfg(118)] called. [pam_oath.c:parse_cfg(119)] flags 0 argc 3 [pam_oath.c:parse_cfg(121)] argv[0]=usersfile=/etc/users.oath [pam_oath.c:parse_cfg(121)] argv[1]=window=1 [pam_oath.c:parse_cfg(121)] argv[2]=debug [pam_oath.c:parse_cfg(122)] debug=1 [pam_oath.c:parse_cfg(123)] alwaysok=0 [pam_oath.c:parse_cfg(124)] try_first_pass=0 [pam_oath.c:parse_cfg(125)] use_first_pass=0 [pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath [pam_oath.c:parse_cfg(127)] digits=0 [pam_oath.c:parse_cfg(128)] window=1 [pam_oath.c:pam_sm_authenticate(157)] get user returned: root One-time password (OATH) for `root': After entering the passord the pam_oath module sends the challenge for OTP and then it authenticates me. SSH works well as well. However when I run freeradius I never get the challenge: pam_pass: using pamauth string <radiusd> for pam.conf lookup [pam_oath.c:parse_cfg(118)] called. [pam_oath.c:parse_cfg(119)] flags 0 argc 3 [pam_oath.c:parse_cfg(121)] argv[0]=usersfile=/etc/users.oath [pam_oath.c:parse_cfg(121)] argv[1]=window=1 [pam_oath.c:parse_cfg(121)] argv[2]=debug [pam_oath.c:parse_cfg(122)] debug=1 [pam_oath.c:parse_cfg(123)] alwaysok=0 [pam_oath.c:parse_cfg(124)] try_first_pass=0 [pam_oath.c:parse_cfg(125)] use_first_pass=0 [pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath [pam_oath.c:parse_cfg(127)] digits=0 [pam_oath.c:parse_cfg(128)] window=1 [pam_oath.c:pam_sm_authenticate(157)] get user returned: root [pam_oath.c:pam_sm_authenticate(232)] conv returned: karel [pam_oath.c:pam_sm_authenticate(248)] OTP too short: karel [pam_oath.c:pam_sm_authenticate(322)] done. [Authentication failure] pam_pass: function pam_authenticate FAILED for <root>. Reason: Authentication failure It seems it gets passed the first password even though try_first_pass nor use_first_pass are set for the pam_oath module. It looks like freeradius passes it the User-Password attribute. Is this a problem in freeradius or the pam stack or am I doing something wrong? I was expecting to get a radius access-challenge proxying the pam_oath challenge similar to how ssh takes care of this. Is there a way to get this setup working? I'd like to use the ldap passwords for users so I'm trying to avoid plaintext secrets in oath configuration. So far it seems I cannot use more then one authentication method in freeradius so pam or some custom module seem like the only two options. thank for pointers Martin
On 06/15/2013 06:20 PM, Martin Kraus wrote:
Hi.
I'd like to have freeradius authenticate users using their password (for simplicity I'm using /etc/shadow now) and TOTP through liboath. I was hoping to use freeradius to centralize this. PAM looked like the easiest way.
rlm_pam only supports plain username/password auth. It doesn't support additional prompts, or issuing an Access-Challenge to clients for more info. There are various ways of doing OTP with FreeRADIUS. Read the docs/wiki and sample configs, and search the archives of the list.
On Sun, Jun 16, 2013 at 10:46:51AM +0100, Phil Mayers wrote:
There are various ways of doing OTP with FreeRADIUS. Read the docs/wiki and sample configs, and search the archives of the list.
Yes I did that before posting. However the only thing that would allow something like a standard password plus otp is using google authenticator with the forward password option through rlm_pam again. I was looking for other options just to look at it from different angle that might perhaps turn out better. thanks mk
Martin Kraus wrote:
Yes I did that before posting. However the only thing that would allow something like a standard password plus otp is using google authenticator with the forward password option through rlm_pam again. I was looking for other options just to look at it from different angle that might perhaps turn out better.
Using PAM is the wrong approach. PAM is an abstraction layer around back-end authentication systems. FreeRADIUS can connect directly to all authentication systems. So using PAM is redundant, and often just adds problems. Alan DeKok.
On Sun, Jun 16, 2013 at 01:15:06PM -0400, Alan DeKok wrote:
Martin Kraus wrote:
Yes I did that before posting. However the only thing that would allow something like a standard password plus otp is using google authenticator with the forward password option through rlm_pam again. I was looking for other options just to look at it from different angle that might perhaps turn out better.
Using PAM is the wrong approach. PAM is an abstraction layer around back-end authentication systems. FreeRADIUS can connect directly to all authentication systems. So using PAM is redundant, and often just adds problems.
Ok. However I still don't see how I would go about setting it up. I thought I can call only a single authentication module in freeradius. When one succeeds the authentication section terminates. Also the only support for oath in freeradius are the oath toolkit and google authenticator PAM modules. could you please point me in the right direction? thanks martin
Martin Kraus wrote:
Ok. However I still don't see how I would go about setting it up. I thought I can call only a single authentication module in freeradius. When one succeeds the authentication section terminates.
There are many modules in FreeRADIUS which do challenge-response. They all work. Similar things can be done for oauth.
Also the only support for oath in freeradius are the oath toolkit and google authenticator PAM modules.
could you please point me in the right direction?
You'll need to write code to get it working. Either an oauth module, or fixing the PAM module to support challenges. See the EAP module for examples of how to maintain state. Alan DeKok.
participants (3)
-
Alan DeKok -
Martin Kraus -
Phil Mayers