freeradius and yubikeys

Frederic Van Espen frederic.ve at gmail.com
Sat May 10 18:01:49 CEST 2014


On Sat, May 10, 2014 at 2:44 PM, Arran Cudbard-Bell
<a.cudbardb at freeradius.org> wrote:
>> I don't believe the configuration was changed, and it was working on
>> 3.0.2 with the password and token splitting done in the vhost config.
>> I'll test later today with version 3.0.2 again to confirm.
>
> OK.
>

Confirmed, without even touching the rlm_yubikey config file and
simply downgrading the packages, authentication works fine. The API
key was not changed in the config files.

>
> Thanks.
>
> Hm, fixed that one issue, doubt it would of cause a validation error though.
>
> The rest of the output was false positives. The server just exits without
> attempting to cleanup unless you specify -m.

That's weird. I did start it like this: valgrind --leak-check=full
/usr/sbin/freeradius -Xx -m

> I've made it a bit more strict about starting up with invalid API keys, so if
> it's getting the config from where other than where you think it is, it'll
> refuse to start.

I took a few HTTP traces to compare the difference between 3.0.2 and
3.0.3. Here's the request for 3.0.2:

 48.948991 172.16.35.65 -> 103.6.213.69 HTTP 293 GET
/wsapi/2.0/verify?id=<XXXXX>&nonce=rvepnyfmrllivnnlbuorqnpetedqwldn&otp=ccccccdbkebjdktflifkufelthvkbjucgfefkijlvrdc&h=V1HcnOhTiaW2mxs5Zgeg1VqFU5k%3D
HTTP/1.1

And here's one for 3.0.3:
  0.033011 172.16.35.65 -> 109.74.193.72 HTTP 264 GET
/wsapi/2.0/verify?id=<XXXXX>&nonce=tughzbxuolnhvjqhyryljthvdkwwyjnu&otp=testingpassword&h=uJfyrooihrq7onQhW8coLiyWARE%3D
HTTP/1.1

Looks like we're sending the user's password instead of the OTP :-) I
guess that should be easy to fix?

Cheers,

Frederic


More information about the Freeradius-Users mailing list