rlm_krb5 hardware preauth
aland at ox.org
Thu Nov 24 23:37:58 CET 2005
Frank Cusack <fcusack at fcusack.com> wrote:
> See src/modules/rlm_otp/otp_radstate.c. I HMAC the State with a key
> generated at FR startup time. The State includes the time, and I
> verify that the time the State is received is sufficiently close to
> the time the State was sent. This limits State replay to that time
> interval, which isn't perfect but for my use it was good enough. The
> HMAC is required to verify the integrity of the time data.
This code is useful enough that it should go into the server core,
to avoid repetition in multiple modules (eap, otp, krb5 ...)
I'll take a look at doing it.
The EAP module solves this problem by changing the State attribute
for every Access-Challenge, and expiring old ones.
More information about the Freeradius-Devel