freeradius and yubikeys

Arran Cudbard-Bell a.cudbardb at
Sat May 10 14:44:25 CEST 2014

On 10 May 2014, at 08:06, Frederic Van Espen < at> wrote:

> On Sat, May 10, 2014 at 1:37 AM, Arran Cudbard-Bell
> <a.cudbardb at> wrote:
>> Ah, yes, I accidentally fixed it.
>> Was reading len bytes, should of only been 44 :)
>>> Output is different
>>> this time and I'm doing the same thing with the same config. I'm
>>> starting it by running "freeradius -Xx" as you suggested. Looks like
>>> the authorize section worked correctly (it set Auth-Type to yubikey),
>>> but then authentication part fails (BAD_SERVER_SIGNATURE):
>> Hm, that apparently means that the API key was incorrect. Double check the config?
> I don't believe the configuration was changed, and it was working on
> 3.0.2 with the password and token splitting done in the vhost config.
> I'll test later today with version 3.0.2 again to confirm.


>> valgrind --leak-check=full <path to freeradius> <args> -m
>> I guess it could be memory corruption...
> Here's the output from valgrind. Admittedly, this is relatively
> unknown grounds for me so I don't really know what the output means,
> but at least it is indeed doing some output where rlm_yubikey is
> concerned:


Hm, fixed that one issue, doubt it would of cause a validation error though.

The rest of the output was false positives. The server just exits without
attempting to cleanup unless you specify -m.

I've made it a bit more strict about starting up with invalid API keys, so if
it's getting the config from where other than where you think it is, it'll
refuse to start.

Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list