freeradius and yubikeys

Frederic Van Espen frederic.ve at gmail.com
Fri May 9 16:49:05 CEST 2014


On Fri, May 9, 2014 at 3:52 PM, Arran Cudbard-Bell
<a.cudbardb at freeradius.org> wrote:
> I've fixed it in v3.0.x HEAD (which will become 3.0.3 very soon) so that
> it just works. If you could test it'd be very much appreciated :)
>
> For your setup with LDAP and crypt, it'd be something like:
> authorize {
>         yubikey
>         ldap
> }
>
> authenticate {
>         Auth-Type yubikey {
>                 yubikey
>                 pap
>         }
> }

Alas, does not seem to work with the configuration you suggest :-(
Relevant configuration files and debug output:
mods-enabled/yubikey:
yubikey {
  split = yes
  decrypt = no
  validate = yes
  validation {
    servers {
    }
    client_id = XXXXX
    api_key = 'OBSCURED'
    pool {
      start = 5
      min = 4
      max = 10
      spare = 3
      uses = 0
      lifetime = 0
      idle_timeout = 60
      spread = yes
    }
  }
}

sites-enabled/default:
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
     max_connections = 16
     lifetime = 0
     idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
authorize {
preprocess
yubikey
-ldap
expiration
logintime
}
authenticate {
Auth-Type yubikey {
yubikey
pap
}
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
-sql
exec
attr_filter.accounting_response
}
session {
}
post-auth {
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
}
pre-proxy {
}
post-proxy {
eap
}
}



and the debugging output:

Received Access-Request Id 9 from 127.0.0.1:37537 to 127.0.0.1:1812 length 121
User-Name = 'fes'
User-Password = 'testingpasswordccccccdbkebjkgfkgdrvthntvckrnifbicgrdgrldigl'
NAS-IP-Address = 172.16.35.65
NAS-Port = 0
Message-Authenticator = 0x9c976b6fd97fd7fc4d98acd97be8fc27
Fri May  9 16:41:15 2014 : Debug: (0) # Executing section authorize
from file /etc/freeradius/sites-enabled/default
Fri May  9 16:41:15 2014 : Debug: (0)   authorize {
Fri May  9 16:41:15 2014 : Debug: (0)   modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
Fri May  9 16:41:15 2014 : Debug: (0)   modsingle[authorize]: returned
from preprocess (rlm_preprocess) for request 0
Fri May  9 16:41:15 2014 : Debug: (0)   [preprocess] = ok
Fri May  9 16:41:15 2014 : Debug: (0)   modsingle[authorize]: calling
yubikey (rlm_yubikey) for request 0
Fri May  9 16:41:15 2014 : Debug: (0) yubikey : User-Password
(aes-block) value contains non modhex chars
Fri May  9 16:41:15 2014 : Debug: (0)   modsingle[authorize]: returned
from yubikey (rlm_yubikey) for request 0
Fri May  9 16:41:15 2014 : Debug: (0)   [yubikey] = noop
Fri May  9 16:41:15 2014 : Debug: (0)   modsingle[authorize]: calling
ldap (rlm_ldap) for request 0
Fri May  9 16:41:15 2014 : Debug: rlm_ldap (ldap): Reserved connection (4)
Fri May  9 16:41:15 2014 : Debug: (uid=%{%{Stripped-User-Name}:-%{User-Name}})
Fri May  9 16:41:15 2014 : Debug: Parsed xlat tree:
Fri May  9 16:41:15 2014 : Debug: literal --> (uid=
Fri May  9 16:41:15 2014 : Debug: if {
Fri May  9 16:41:15 2014 : Debug: attribute --> Stripped-User-Name
Fri May  9 16:41:15 2014 : Debug: {
Fri May  9 16:41:15 2014 : Debug: ref  2
Fri May  9 16:41:15 2014 : Debug: list 1
Fri May  9 16:41:15 2014 : Debug: tag -128
Fri May  9 16:41:15 2014 : Debug: }
Fri May  9 16:41:15 2014 : Debug: }
Fri May  9 16:41:15 2014 : Debug: else {
Fri May  9 16:41:15 2014 : Debug: attribute --> User-Name
Fri May  9 16:41:15 2014 : Debug: {
Fri May  9 16:41:15 2014 : Debug: ref  2
Fri May  9 16:41:15 2014 : Debug: list 1
Fri May  9 16:41:15 2014 : Debug: tag -128
Fri May  9 16:41:15 2014 : Debug: }
Fri May  9 16:41:15 2014 : Debug: }
Fri May  9 16:41:15 2014 : Debug: literal --> )
Fri May  9 16:41:15 2014 : Debug: (0) ldap : EXPAND
(uid=%{%{Stripped-User-Name}:-%{User-Name}})
Fri May  9 16:41:15 2014 : Debug: (0) ldap :    --> (uid=fes)
Fri May  9 16:41:15 2014 : Debug: ou=People,dc=escaux,dc=com
Fri May  9 16:41:15 2014 : Debug: Parsed xlat tree:
Fri May  9 16:41:15 2014 : Debug: literal --> ou=People,dc=escaux,dc=com
Fri May  9 16:41:15 2014 : Debug: (0) ldap : EXPAND ou=People,dc=escaux,dc=com
Fri May  9 16:41:15 2014 : Debug: (0) ldap :    --> ou=People,dc=escaux,dc=com
Fri May  9 16:41:15 2014 : Debug: (0) ldap : Performing search in
'ou=People,dc=escaux,dc=com' with filter '(uid=fes)', scope 'sub'
Fri May  9 16:41:15 2014 : Debug: (0) ldap : Waiting for search result...
Fri May  9 16:41:15 2014 : Debug: (0) ldap : User object found at DN
"uid=fes,ou=People,dc=escaux,dc=com"
Fri May  9 16:41:15 2014 : Debug: (0) ldap : Processing user attributes
Fri May  9 16:41:15 2014 : Debug: (0) ldap :
control:Password-With-Header +=
''{CRYPT}$6$rounds=1000$czjqtQQw5Sx6BURM$67zg9ok5r8IVTQNcQkdx1Mbi5A75gbHgt5I3oI/Z038MPg8htLLswallK.ou/r914j/0Tkwyuf92ZHsVg1DTz.''
Fri May  9 16:41:15 2014 : Debug: (0) ldap : Attribute "ntPassword"
not found in LDAP object
Fri May  9 16:41:15 2014 : Debug: rlm_ldap (ldap): Released connection (4)
Fri May  9 16:41:15 2014 : Debug: (0)   modsingle[authorize]: returned
from ldap (rlm_ldap) for request 0
Fri May  9 16:41:15 2014 : Debug: (0)   [ldap] = ok
Fri May  9 16:41:15 2014 : Debug: (0)   modsingle[authorize]: calling
expiration (rlm_expiration) for request 0
Fri May  9 16:41:15 2014 : Debug: (0)   modsingle[authorize]: returned
from expiration (rlm_expiration) for request 0
Fri May  9 16:41:15 2014 : Debug: (0)   [expiration] = noop
Fri May  9 16:41:15 2014 : Debug: (0)   modsingle[authorize]: calling
logintime (rlm_logintime) for request 0
Fri May  9 16:41:15 2014 : Debug: (0)   modsingle[authorize]: returned
from logintime (rlm_logintime) for request 0
Fri May  9 16:41:15 2014 : Debug: (0)   [logintime] = noop
Fri May  9 16:41:15 2014 : Debug: (0)  } #  authorize = ok
Fri May  9 16:41:15 2014 : ERROR: (0) No Auth-Type found: rejecting
the user via Post-Auth-Type = Reject
Fri May  9 16:41:15 2014 : Debug: (0) Failed to authenticate the user.
Fri May  9 16:41:15 2014 : Debug: (0) Using Post-Auth-Type Reject
Fri May  9 16:41:15 2014 : Debug: (0) # Executing group from file
/etc/freeradius/sites-enabled/default
Fri May  9 16:41:15 2014 : Debug: (0)  Post-Auth-Type REJECT {
Fri May  9 16:41:15 2014 : Debug: (0)   modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 0
Fri May  9 16:41:15 2014 : Debug: %{User-Name}
Fri May  9 16:41:15 2014 : Debug: Parsed xlat tree:
Fri May  9 16:41:15 2014 : Debug: attribute --> User-Name
Fri May  9 16:41:15 2014 : Debug: {
Fri May  9 16:41:15 2014 : Debug: ref  2
Fri May  9 16:41:15 2014 : Debug: list 1
Fri May  9 16:41:15 2014 : Debug: tag -128
Fri May  9 16:41:15 2014 : Debug: }
Fri May  9 16:41:15 2014 : Debug: (0) attr_filter.access_reject :
EXPAND %{User-Name}
Fri May  9 16:41:15 2014 : Debug: (0) attr_filter.access_reject :    --> fes
Fri May  9 16:41:15 2014 : Debug: (0) attr_filter.access_reject :
Matched entry DEFAULT at line 11
Fri May  9 16:41:15 2014 : Debug: (0)   modsingle[post-auth]: returned
from attr_filter.access_reject (rlm_attr_filter) for request 0
Fri May  9 16:41:15 2014 : Debug: (0)   [attr_filter.access_reject] = updated
Fri May  9 16:41:15 2014 : Debug: (0)   modsingle[post-auth]: calling
eap (rlm_eap) for request 0
Fri May  9 16:41:15 2014 : Debug: (0) eap : Request didn't contain an
EAP-Message, not inserting EAP-Failure
Fri May  9 16:41:15 2014 : Debug: (0)   modsingle[post-auth]: returned
from eap (rlm_eap) for request 0
Fri May  9 16:41:15 2014 : Debug: (0)   [eap] = noop
Fri May  9 16:41:15 2014 : Debug: (0)   remove_reply_message_if_eap
remove_reply_message_if_eap {
Fri May  9 16:41:15 2014 : Debug: (0)     if (reply:EAP-Message &&
reply:Reply-Message)
Fri May  9 16:41:15 2014 : Debug: (0)     if (reply:EAP-Message &&
reply:Reply-Message)  -> FALSE
Fri May  9 16:41:15 2014 : Debug: (0)    else else {
Fri May  9 16:41:15 2014 : Debug: (0)   modsingle[post-auth]: calling
noop (rlm_always) for request 0
Fri May  9 16:41:15 2014 : Debug: (0)   modsingle[post-auth]: returned
from noop (rlm_always) for request 0
Fri May  9 16:41:15 2014 : Debug: (0)     [noop] = noop
Fri May  9 16:41:15 2014 : Debug: (0)    } # else else = noop
Fri May  9 16:41:15 2014 : Debug: (0)   } #
remove_reply_message_if_eap remove_reply_message_if_eap = noop
Fri May  9 16:41:15 2014 : Debug: (0)  } # Post-Auth-Type REJECT = updated
Fri May  9 16:41:15 2014 : Debug: (0) Delaying response for 1 seconds
Fri May  9 16:41:15 2014 : Debug: Waking up in 0.3 seconds.
Fri May  9 16:41:16 2014 : Debug: Waking up in 0.6 seconds.
Fri May  9 16:41:16 2014 : Debug: (0) Sending delayed response
Sending Access-Reject Id 9 from 127.0.0.1:1812 to 127.0.0.1:37537
Fri May  9 16:41:16 2014 : Debug: Waking up in 3.9 seconds.
Fri May  9 16:41:20 2014 : Debug: (0) Cleaning up request packet ID 9
with timestamp +11
Fri May  9 16:41:20 2014 : Info: Ready to process requests.



Let me know if there is anything more that you need tested.

Frederic


More information about the Freeradius-Users mailing list