freeradius and yubikeys

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri May 9 14:32:25 CEST 2014 

On 9 May 2014, at 12:02, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:

> 
> On 9 May 2014, at 11:14, Frederic Van Espen <frederic.ve at gmail.com> wrote:
> 
>> On Fri, May 9, 2014 at 9:11 AM, Arran Cudbard-Bell
>> <a.cudbardb at freeradius.org> wrote:
>>> Which you'd get if you rolled your own packages, and hey you'd actually be
>>> contributing something, because if you came across any defects, you might
>>> actually be able to provide useful debugging info.
>> 
>> I now have version 3.0.2 up and running with rlm_yubikey. For this
>> testing setup, I'm simply trying to validate to the public yubicloud
>> server using the validate mode.
>> 
>> When I was using the rlm_perl based module, I was able to enter a user
>> password, followed by the OTP token. The perl module extracted the OTP
>> and passed on the user password for further authentication (in my case
>> LDAP). Now when I use radtest like this:
>> root at obelix-clone:/usr/src# radtest fes
>> testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr 127.0.0.1
>> 0 testing123
>> Sending Access-Request of id 85 from 0.0.0.0 port 56523 to 127.0.0.1 port 1812
>> User-Name = 'fes'
>> User-Password = 'testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr'
>> NAS-IP-Address = 172.16.35.65
>> NAS-Port = 0
>> Message-Authenticator = 0x00
>> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=85, length=20
>> 
>> 
>> Here's the output of the server:
>> rad_recv: Access-Request packet from host 127.0.0.1 port 56523, id=85,
>> length=121
>> User-Name = 'fes'
>> User-Password = 'testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr'
>> NAS-IP-Address = 172.16.35.65
>> NAS-Port = 0
>> Message-Authenticator = 0xf4c430ea058e22ef07ef239f42b0270f
>> Fri May  9 11:52:20 2014 : Debug: (0) # Executing section authorize
>> from file /etc/freeradius/sites-enabled/default
>> Fri May  9 11:52:20 2014 : Debug: (0)   authorize {
>> Fri May  9 11:52:20 2014 : Debug: (0)   modsingle[authorize]: calling
>> preprocess (rlm_preprocess) for request 0
>> Fri May  9 11:52:20 2014 : Debug: (0)   modsingle[authorize]: returned
>> from preprocess (rlm_preprocess) for request 0
>> Fri May  9 11:52:20 2014 : Debug: (0)   [preprocess] = ok
>> Fri May  9 11:52:20 2014 : Debug: (0)   modsingle[authorize]: calling
>> yubikey (rlm_yubikey) for request 0
>> Fri May  9 11:52:20 2014 : Debug: (0) yubikey : User-Password value is
>> not the correct length, expected 44, got 59
> 
> ^ Look at me, look at me, i'm the reason why it's not working, look at me look at me.
> 
>> Fri May  9 11:52:20 2014 : Debug: (0)   modsingle[authorize]: returned
>> from yubikey (rlm_yubikey) for request 0
>> Fri May  9 11:52:20 2014 : Debug: (0)   [yubikey] = noop
>> Fri May  9 11:52:20 2014 : Debug: (0)    if (ok)
>> Fri May  9 11:52:20 2014 : Debug: (0)    if (ok)  -> FALSE
>> 
>> Do you know of any way to regain the behaviour of the rlm_perl based
>> module (user password AND OTP token for two factor authentication)?
>> Should I maybe handle that in the configuration?
> 
> The scheme of concatenating the password with the token string is user defined.
> The yubikey module checks you've performed the split correctly, by looking at
> the length of the User-Password. It cannot split out the password + OTP token
> for you as it does not know your concatenation scheme. The yubikey module 
> restricts you to straight concatenation with no separator, FreeRADIUS lets you
> use any scheme.
> 
> If you're doing 2FA as a single round with password + OTP concatenation, you
> need something like:
> 

Oops. It's more like

authorize {
# 44 is OTP len + ID Len
if (User-Password =~ /^(.*)([cbdefghijklnrtuv]{44})$/) {
	update request {
		User-Password = "%{2}"
	}
	yubikey.authenticate
	if (ok) {
		update request {
			User-Password := "%{1}"
		}
	}	
}
<insert modules to get control:Password-With-Header or control:*-Password, ldap, files etc...>
pap
}

Ok i'll see if I can fix the behaviour to be a little more sane.

-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140509/4994a95d/attachment.pgp>

More information about the Freeradius-Users mailing list