Hi all, im setting up an OTP authentication service for our customer base. They should be able to authenticate with both their login/pass or an OTP. Ive got this working just fine by using PAM/radius where each pam services checks 2 radius servers. First the one doing the login/pass (this is a bit of a black box I cant modify too easily), and if that fails it checks the OATH/TOTP/HOTP radius daemon. The second radius server is a Freeradius installation, where the OTP checks are (currently) done using exec. The idea is that customers could be in an insecure environment like an internet cafe and use their OTP token to login through their regular websites or even with their IMAP client. Since we have a pretty large userbase of a few hundred thousand customers, and are regularly bombarded with brute force attacks in some form, i expect a lot of hits on the OTP radius server. Would their be some way, in either the PAM stage, or in the FreeRadius stage before Exec to pre-validate if ive got a token-reponse? They're always 10 digit numbers. Regards, Cor Freeradius: 2.1.10
Cor Bosman <cor@xs4all.nl> wrote:
Would their be some way, in either the PAM stage, or in the FreeRadius stage before Exec to pre-validate if ive got a token-reponse? They're always 10 digit numbers.
unlang is your friend: http://freeradius.org/radiusd/man/unlang.html Something like the following should probably help you: ---- authorize { preprocess ... if (User-Password !~ /^[0-9]{10}$/) { update reply { Reply-Message := "ZOMG, TEH WORLD IS ENDINGS!" } reject } otp-exec-thingy ... } ---- Cheers -- Alexander Clouter .sigmonster says: Good day for overcoming obstacles. Try a steeplechase.
if (User-Password !~ /^[0-9]{10}$/) { update reply { Reply-Message := "ZOMG, TEH WORLD IS ENDINGS!" } reject }
If (Ceiling-Cat) { update reply { Reply-Message := "OMG, STOP WATCHINS ME BATINGS" } } Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the complexity of Diameter
On Mon, Jul 4, 2011 at 4:57 PM, Cor Bosman <cor@xs4all.nl> wrote:
Would their be some way, in either the PAM stage, or in the FreeRadius stage before Exec to pre-validate if ive got a token-reponse? They're always 10 digit numbers.
Are you asking for a "cheap" way to validate whether User-Password has 10 digit numbers? If yes, just use unlang. Sometihing like this on authorize section (this works only if you use PAP) if (!("%{request:User-Password}" =~ /^[0-9]{10,10}$/)) { update control { Auth-Type := Reject } } -- Fajar
Hey Fajar and Alexander, thanks! That's exactly what I was looking for. A cheap way to pre-validate tokens without having to Exec an 'expensive' external program to check if the token is computationally correct. Simply because I expect a LOT of faulty regular passwords to fall through from the password check to the OTP check. Regards, Cor
participants (4)
-
Alexander Clouter -
Arran Cudbard-Bell -
Cor Bosman -
Fajar A. Nugraha