freeradius and yubikeys

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri May 9 21:45:04 CEST 2014


On 9 May 2014, at 15:49, Frederic Van Espen <frederic.ve at gmail.com> wrote:

> On Fri, May 9, 2014 at 3:52 PM, Arran Cudbard-Bell
> <a.cudbardb at freeradius.org> wrote:
>> I've fixed it in v3.0.x HEAD (which will become 3.0.3 very soon) so that
>> it just works. If you could test it'd be very much appreciated :)
>> 
>> For your setup with LDAP and crypt, it'd be something like:
>> authorize {
>>        yubikey
>>        ldap
>> }
>> 
>> authenticate {
>>        Auth-Type yubikey {
>>                yubikey
>>                pap
>>        }
>> }
> 
> Alas, does not seem to work with the configuration you suggest :-(

Git pull... I haven't fixed anything, but i've added a format marker,
so it'll show where in the string it found the non modhex char.

It'll only show up with -Xx because of the policy we introduced about
not showing sensitive strings with -X, after a couple of accidental
postings of passwords to GitHub and the list.

I tested with your string and it came back fine, so i'm a little confused.
Here's my output (with -Xx).

Received Access-Request Id 50 from 127.0.0.1:54741 to 127.0.0.1:1812 length 91
  Code:		1
  Id:		50
  Length:	91
  Vector:	d6f8b36def2807b39afba22805bd09f5
  Data:		01  05  66 6f 6f 
		02  42  d9 dc 63 29 40 fb 89 6d 8d 9c 24 bf 8b 63 a4 dd 
			e0 72 05 bb 58 38 ab 56 7c 40 ec d8 51 8e 98 49 
			cd a9 e4 4e 76 1a 53 0c 14 67 29 a2 98 c4 8d ad 
			1a ce 51 70 e8 bb 44 70 ed ae 8e ff c6 8d 1a 8a 
	User-Name = 'foo'
	User-Password = 'testingpasswordccccccdbkebjkgfkgdrvthntvckrnifbicgrdgrldigl'
Fri May  9 18:40:54 2014 : Debug: (0) # Executing section authorize from file /usr/local/freeradius/etc/raddb/sites-enabled/default
Fri May  9 18:40:54 2014 : Debug: (0)   authorize {
Fri May  9 18:40:54 2014 : Debug: (0)   modsingle[authorize]: calling yubikey (rlm_yubikey) for request 0
Fri May  9 18:40:54 2014 : Debug: (0) yubikey : request:Yubikey-OTP := 'ccccccdbkebjkgfkgdrvthntvckrnifbicgrdgrldigl'
Fri May  9 18:40:54 2014 : Debug: (0) yubikey : request:User-Password := 'testingpassword'
Fri May  9 18:40:54 2014 : Debug: (0)   modsingle[authorize]: returned from yubikey (rlm_yubikey) for request 0
Fri May  9 18:40:54 2014 : Debug: (0)   [yubikey] = ok

and your debug was was:

Fri May  9 16:41:15 2014 : Debug: (0) yubikey : User-Password (aes-block) value contains non modhex chars

Meaning it found a char outside of "cbdefghijklnrtuv" in the AES block portion, but were using the same
string, so I don't see how that works.

Relevant configuration files and debug output:
mods-enabled/yubikey:
yubikey {
 split = yes
 decrypt = no
 validate = yes
 validation {
   servers {
   }
   client_id = XXXXX
   api_key = 'OBSCURED'

Hmm I'll add the << secret >> stuff to api_key as well.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140509/a557b18f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140509/a557b18f/attachment-0001.pgp>


More information about the Freeradius-Users mailing list