S/KEY authentication on FreeRADIUS
Alexander Clouter
alex at digriz.org.uk
Mon Nov 8 15:40:21 CET 2010
Victor Guk <v.guk at zaz.zp.ua> wrote:
>
> Can you please tell whether it is possible to configure FreeRADIUS to
> authenticate users on the "S/KEY One-Time Password System", which is
> described in RFC 1760 (http://tools.ietf.org/html/rfc1760).
>
You should be looking at RFC 2289[1] and also RFC 2243[2].
With FreeRADIUS I successfully got working:
* 802.1X - both wpa_supplicant and SecureW2
* mod_auth_radius (via PAM) - both shell login and Apache basic auth
To get it working, involves a trivial patch to rlm_eap_gtc (that Alan
/dev/null'd) and a Perl script that runs via rlm_perl. It reads
currently from an opiekeys compatible file, but my long term plan was to
add LDAP/SQL backend support (as well as RFC2243 support).
I also did some ground work so that you could get users to self-service
prime their own MIDP JavaME enable mobile phone, via a web page or via
SMS WAP Push message...
Motivation dried up with Alan not applying my patch (grrr) and me not
seeing to be too much interest in an opensource OTP solution for the UK
university sector...*sigh*.
I've put it on the back burner, but now with JavaME's future looking
dodgy too... :-/
Code dump is available upon request, to anyone, it's all GPL.
Cheers
[1] http://tools.ietf.org/html/rfc2289
[2] http://tools.ietf.org/html/rfc2243
--
Alexander Clouter
.sigmonster says: Without fools there would be no wisdom.
More information about the Freeradius-Users
mailing list