freeradius and yubikeys

Frederic Van Espen at
Sat May 10 18:01:49 CEST 2014

On Sat, May 10, 2014 at 2:44 PM, Arran Cudbard-Bell
<a.cudbardb at> wrote:
>> I don't believe the configuration was changed, and it was working on
>> 3.0.2 with the password and token splitting done in the vhost config.
>> I'll test later today with version 3.0.2 again to confirm.
> OK.

Confirmed, without even touching the rlm_yubikey config file and
simply downgrading the packages, authentication works fine. The API
key was not changed in the config files.

> Thanks.
> Hm, fixed that one issue, doubt it would of cause a validation error though.
> The rest of the output was false positives. The server just exits without
> attempting to cleanup unless you specify -m.

That's weird. I did start it like this: valgrind --leak-check=full
/usr/sbin/freeradius -Xx -m

> I've made it a bit more strict about starting up with invalid API keys, so if
> it's getting the config from where other than where you think it is, it'll
> refuse to start.

I took a few HTTP traces to compare the difference between 3.0.2 and
3.0.3. Here's the request for 3.0.2:

 48.948991 -> HTTP 293 GET

And here's one for 3.0.3:
  0.033011 -> HTTP 264 GET

Looks like we're sending the user's password instead of the OTP :-) I
guess that should be easy to fix?



More information about the Freeradius-Users mailing list