otpd - resurrecting it

Alan DeKok aland at deployingradius.com
Wed Sep 23 13:55:40 CEST 2015

On Sep 22, 2015, at 10:31 PM, Michael A Hawkins <mhawkins.consultant at gmail.com> wrote:
> I am trying to resurrect otpd, a GPL fork is here
> "https://code.google.com/p/otpd/. I like this thing because it allows me
> to run my own OTP service with OATH compliant event based tokens of
> almost any kind. I never got any time based tokens working and I don't
> really care.

  There are multiple other implementations of one-time tokens.  Writing / supporting your own custom version is a lot of work.

> Years ago, I got otpd working by running it as radiusd so that
> FreeRadius could interact with it. This required setting all rights on
> all otpd related files and /var/run/otpd/socket to be owned and perm'd
> for radiusd. I don't know enough about LINUX to know why radiusd had to
> run otpd but I do remember that no matter what I did, if radiusd did not
> have rights to /var/run/otpd/socket then FreeRadius was always denied
> permission when attempting to interact with otpd.

  That's a red flag.  If you're inexperienced with Unix security, I don't suggest maintaining your own version of OTPd.

> Compiling the otpd code was also a challenge because I mostly run Fedora
> and C files, ./configure and make files all had to be messed with. But I
> managed.

  "Messed with" is also a red flag.  You should understand what you're changing, and why. 

> The problem I face now though is that if I do everything I originally
> did as above I get all the way to authenticating and freeradius always
> fails the authentication and otpd seg faults.

  Seg faults indicate coding errors.  You "messed with" the code and broke it.  That's bad.

> All of the above results in otpd still running. But if I run radtest
> once more... otpd segfaults and leaves the /var/run/otpd/socket
> inaccessible by radiusd.

  Because otdp isn't running. 

> I can see that otpd passes the authentication but freeradius doesn't see
> it.

  The rlm_otp module returns "fail" for some reason.  You'll have to root through the source code of rlm_otp to figure out why.

> So I don't know why FreeRadius is failing the authentication and I don't
> know why otpd is segfaulting (this is the first time I've ever had to
> work on an executable that does that).

  It won't be the last.

> Any help or hints on how to solve or troubleshoot this would be *VERY*
> much appreciated.

  Writing and debugging C programs is hard.  This list isn't really the place to describe how to do that.

  My suggestion is to toss otpd, and go with software which is actively maintained.  Because otpd isn't supported any more, we don't really support rlm_otp.  And we're going to remove it in a future release.

  Alan DeKok.

More information about the Freeradius-Users mailing list