S/KEY authentication on FreeRADIUS

Alexander Clouter alex at digriz.org.uk
Mon Nov 8 15:40:21 CET 2010

Victor Guk <v.guk at zaz.zp.ua> wrote:
> Can you please tell whether it is possible to configure FreeRADIUS to 
> authenticate users on the "S/KEY One-Time Password System", which is 
> described in RFC 1760 (http://tools.ietf.org/html/rfc1760).
You should be looking at RFC 2289[1] and also RFC 2243[2].

With FreeRADIUS I successfully got working:
 * 802.1X - both wpa_supplicant and SecureW2
 * mod_auth_radius (via PAM) - both shell login and Apache basic auth

To get it working, involves a trivial patch to rlm_eap_gtc (that Alan 
/dev/null'd) and a Perl script that runs via rlm_perl.  It reads 
currently from an opiekeys compatible file, but my long term plan was to 
add LDAP/SQL backend support (as well as RFC2243 support).

I also did some ground work so that you could get users to self-service 
prime their own MIDP JavaME enable mobile phone, via a web page or via 
SMS WAP Push message...

Motivation dried up with Alan not applying my patch (grrr) and me not 
seeing to be too much interest in an opensource OTP solution for the UK 
university sector...*sigh*.

I've put it on the back burner, but now with JavaME's future looking 
dodgy too... :-/

Code dump is available upon request, to anyone, it's all GPL.


[1] http://tools.ietf.org/html/rfc2289
[2] http://tools.ietf.org/html/rfc2243

Alexander Clouter
.sigmonster says: Without fools there would be no wisdom.

More information about the Freeradius-Users mailing list