Exercising Challenge/Response code path in pam client?

Alan DeKok aland at deployingradius.com
Sat Sep 24 15:53:33 CEST 2016

On Sep 24, 2016, at 9:43 AM, Richard Perrin <rcp at sentientmeat.ca> wrote:
> My reason is that I'm integrating the pam-radius-auth client into a
> product and need to verify the full client functionality. I need to
> create a lasting test-bed that simulates a target deployment that
> would be using Challenge/Response authentication.

  If you're just doing Unix logins, pam-radius-auth has done RADIUS challenge-response correctly since 1998... when I wrote it.

> I'm seeking a simple as possible config for freeradius server (now
> version 3.0.11) that would allow me to exercise the Challenge/Response
> path in the pam client (packaged on Ubuntu 14.04 as
> libpam-radius-auth-1.3.17).

   The simplest thing is to re-use an existing challenge-response system.  i.e. something your clients will use.

> An additional detail is that I'm using the radius pam module for the
> login and ssh services.

  Then the pam-radius-auth module should work.  It's worked since 1998.

> I looked at the rlm_otp module, but found the otpd codebase is
> dormant. rlm_eap may be where I end up, but the breadth of options
> there seems like I'll spend a lot of time figuring out the
> configuration.

  rlm_otp might work.  rlm_eap won't.  EAP is an authentication method entirely different from normal password challenge-response.

  You can't just pick random things and expect them to work.  You have to *understand* what the protocols are doing.

> rlm_yubikey, rlm_securid, and rlm_smsotp require
> devices or infrastructure I don't currently have, but could obtain if
> warranted.

  TBH, Yubikey systems are cheap.  Get one, and test it.  It will work.

> Of the other modules that grep for CHALLENGE,
> rlm_preprocess, rlm_example, rlm_replicate don't seem suitable. So
> rlm_cram, rlm_mschap, rlm_chap or rlm_eap seem like the best
> candidates. EAP has documentation, which the others lack.

  Trying random things is entirely the wrong approach.

> Is there one that seems like the winner for ease of configuration for
> Challenge/Response?


  If you don't understand how MS-CHAP and EAP are different from normal challenge-response, you will have a VERY bad time trying to implement your own challenge-response mechanism.

  Alan DeKok.

More information about the Freeradius-Users mailing list