Alternative to ClientLogin for Google Apps authentication?

Daniel Smith danielesmith at gmail.com
Thu Apr 16 15:29:40 CEST 2015


On Fri, Jan 30, 2015 at 12:04 AM, Arran Cudbard-Bell
<a.cudbardb at freeradius.org> wrote:
>
>> On 29 Jan 2015, at 04:26, Daniel Smith <danielesmith at gmail.com> wrote:
>> Is there any way FreeRADIUS can authenticate against Google with an app
>> password, without ClientLogin being around anymore? I looked into OAuth2
>> but it looks like that will require all existing clients to manually sign
>> in again and change details, since it'll require interaction to create the
>> first refresh token.
>
> I don't know how they're doing it. But if you have any requests like extra
> HMAC functions and want to try something with Oauth2, i'd be happy to help
> out.

Well we figured out an easy way to solve this - change the perl script
that our FreeRADIUS instance is running to authenticate using
ClientLogin, to instead connect to pop.gmail.com:995 with an app
password. Works perfectly, and no indication I could find anywhere
that Google is deprecating it any time soon.

One issue however, is that FreeRADIUS now segfaults. If it's ran
without -X that is.

i.e. if I run "/usr/sbin/radiusd -d /etc/raddb" it starts up and
listens for requests, but then the instant an auth is sent it
segfaults in SSLeay.so (which is being used by the perl script it's
calling).

I know, I know, library version mismatches between OpenSSL or
something. *However*, if I run "/usr/sbin/radiusd -d /etc/raddb -X" it
runs 100% perfectly, doesn't crash, doesn't segfault, everything's
A-OK, people authenticate fine.

Of course we would prefer to run it without -X as it's messing with
our logging. Any advice on how to debug this, or why it would work
fine with -X and segfault without it? We're running it in AWS, so the
most recent version we have access to is 2.12 unfortunately. This
still appears to be an easy fix, since -X gets it working.


More information about the Freeradius-Users mailing list