rlm_krb5 hardware preauth

Alan DeKok aland at ox.org
Thu Nov 24 23:37:58 CET 2005

Frank Cusack <fcusack at fcusack.com> wrote:
> See src/modules/rlm_otp/otp_radstate.c.  I HMAC the State with a key
> generated at FR startup time.  The State includes the time, and I
> verify that the time the State is received is sufficiently close to
> the time the State was sent.  This limits State replay to that time
> interval, which isn't perfect but for my use it was good enough.  The
> HMAC is required to verify the integrity of the time data.

  This code is useful enough that it should go into the server core,
to avoid repetition in multiple modules (eap, otp, krb5 ...)

  I'll take a look at doing it.

  The EAP module solves this problem by changing the State attribute
for every Access-Challenge, and expiring old ones.

  Alan DeKok.

More information about the Freeradius-Devel mailing list