my first freeradius module
Brian Candler
B.Candler at pobox.com
Sun Mar 13 08:38:01 CET 2011
On Fri, Mar 11, 2011 at 06:13:45PM -0300, Herbert Fischer wrote:
> This module will do OTP two way authentication. It will extract part of
> the password (ex.: latest 6 digits) to verify and the remaining
> "password" will be returned to Freeradius to test against another
> module (LDAP for example).
...
> What do you suggest? Is there any other way to do this two way
> authentication without needing to develop a module for it?
Have you looked in the src/modules directory? And you've seen that there's
src/modules/rlm_otp already? If that does the OTP part in the way you need,
then splitting the password into two is easy.
if (User-Password =~ /^(......)(.*)$/) {
update request {
# The OTP password for rlm_otp to check
User-Password = "%{1}"
# The remainder to check against mysql or ldap
Tmp-String-0 = "%{2}"
}
}
... continue
See "man unlang" for the details. This won't work for
CHAP-Challenge/CHAP-Password, obviously - only PAP.
(rlm_otp appears to be undocumented, so if you want to update
http://wiki.freeradius.org/Rlm_otp as you work with it, that would be a
useful contribution)
Otherwise, to make a completely custom module which links against an
existing C library, you can start with rlm_example and borrow logic from
other modules as required. But you're right, it's tricky to do properly.
If that were necessary, I'd say you'd be better off using rlm_perl or
rlm_python and writing the logic there.
Regards,
Brian.
More information about the Freeradius-Devel
mailing list