freeradius and yubikeys

Frederic Van Espen frederic.ve at gmail.com
Fri May 9 14:31:45 CEST 2014


On Fri, May 9, 2014 at 1:02 PM, Arran Cudbard-Bell
<a.cudbardb at freeradius.org> wrote:
> The scheme of concatenating the password with the token string is user
> defined.
> The yubikey module checks you've performed the split correctly, by looking
> at
> the length of the User-Password. It cannot split out the password + OTP
> token
> for you as it does not know your concatenation scheme. The yubikey module
> restricts you to straight concatenation with no separator, FreeRADIUS lets
> you
> use any scheme.

Makes sense. Thanks for the clarification!

> If you're doing 2FA as a single round with password + OTP concatenation, you
> need something like:
>
> authorize {
>
> # 44 is OTP len + ID Len
> if (User-Password =~ /^(.*)([cbdefghijklnrtuv]{44})$/) {
> update request {
> User-Password = "%{2}"
> }
> yubikey
> if (ok) {
> update request {
> User-Password := "%{1}"
> }
> }
> }
> <insert modules to get control:Password-With-Header or control:*-Password,
> ldap, files etc...>
> pap
>
> }

I'm still missing something here. It looks like the authorize section
of rlm_yubikey always returns OK, regardless whether the OTP token was
used or not. Only when I call the yubikey module in the authentice
section is it really contacting the yubicloud servers and verifying
the OTP. But then I always get authenticated without supplying the
user password. Hence my next question, can I use 2 Auth-Type's in the
authenticate section? Or is that exactly what you mean by <insert
modules to get control:Password-With-Header or control:*-Password,
ldap, files etc...> in your previous mail?

Thanks,

Frederic


More information about the Freeradius-Users mailing list