freeradius and yubikeys

Arran Cudbard-Bell a.cudbardb at freeradius.org
Sat May 10 01:37:00 CEST 2014 

On 10 May 2014, at 00:04, Frederic Van Espen <frederic.ve at gmail.com> wrote:

> On Fri, May 9, 2014 at 9:45 PM, Arran Cudbard-Bell
> <a.cudbardb at freeradius.org> wrote:
>> 
>> Git pull... I haven't fixed anything, but i've added a format marker,
>> so it'll show where in the string it found the non modhex char.
>> 
>> It'll only show up with -Xx because of the policy we introduced about
>> not showing sensitive strings with -X, after a couple of accidental
>> postings of passwords to GitHub and the list.
>> 
>> I tested with your string and it came back fine, so i'm a little confused.
>> Here's my output (with -Xx).
>> 
>> Received Access-Request Id 50 from 127.0.0.1:54741 to 127.0.0.1:1812 length
>> 91
>>  Code: 1
>>  Id: 50
>>  Length: 91
>>  Vector: d6f8b36def2807b39afba22805bd09f5
>>  Data: 01  05  66 6f 6f
>> 02  42  d9 dc 63 29 40 fb 89 6d 8d 9c 24 bf 8b 63 a4 dd
>> e0 72 05 bb 58 38 ab 56 7c 40 ec d8 51 8e 98 49
>> cd a9 e4 4e 76 1a 53 0c 14 67 29 a2 98 c4 8d ad
>> 1a ce 51 70 e8 bb 44 70 ed ae 8e ff c6 8d 1a 8a
>> User-Name = 'foo'
>> User-Password =
>> 'testingpasswordccccccdbkebjkgfkgdrvthntvckrnifbicgrdgrldigl'
>> Fri May  9 18:40:54 2014 : Debug: (0) # Executing section authorize from
>> file /usr/local/freeradius/etc/raddb/sites-enabled/default
>> Fri May  9 18:40:54 2014 : Debug: (0)   authorize {
>> Fri May  9 18:40:54 2014 : Debug: (0)   modsingle[authorize]: calling
>> yubikey (rlm_yubikey) for request 0
>> Fri May  9 18:40:54 2014 : Debug: (0) yubikey : request:Yubikey-OTP :=
>> 'ccccccdbkebjkgfkgdrvthntvckrnifbicgrdgrldigl'
>> Fri May  9 18:40:54 2014 : Debug: (0) yubikey : request:User-Password :=
>> 'testingpassword'
>> Fri May  9 18:40:54 2014 : Debug: (0)   modsingle[authorize]: returned from
>> yubikey (rlm_yubikey) for request 0
>> Fri May  9 18:40:54 2014 : Debug: (0)   [yubikey] = ok
>> 
>> and your debug was was:
>> 
>> Fri May  9 16:41:15 2014 : Debug: (0) yubikey : User-Password (aes-block)
>> value contains non modhex chars
>> 
>> Meaning it found a char outside of "cbdefghijklnrtuv" in the AES block
>> portion, but were using the same
>> string, so I don't see how that works.
> 
> Are you sure you did not change anything else?

Ah, yes, I accidentally fixed it.

https://github.com/FreeRADIUS/freeradius-server/commit/34dd540de3ac66c659e3d9f271f62751ab4c9d67#diff-dbe11f71860dd5f560f97273854f73baL288

Was reading len bytes, should of only been 44 :)

> Output is different
> this time and I'm doing the same thing with the same config. I'm
> starting it by running "freeradius -Xx" as you suggested. Looks like
> the authorize section worked correctly (it set Auth-Type to yubikey),
> but then authentication part fails (BAD_SERVER_SIGNATURE):

Hm, that apparently means that the API key was incorrect. Double check the config?

or

valgrind --leak-check=full <path to freeradius> <args> -m

I guess it could be memory corruption...

I can have a look on Monday if it's still not working. I just don't have my yubikey
token at home.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140510/66010ee7/attachment.pgp>

More information about the Freeradius-Users mailing list