Exercising Challenge/Response code path in pam client?
aland at deployingradius.com
Sat Sep 24 15:53:33 CEST 2016
On Sep 24, 2016, at 9:43 AM, Richard Perrin <rcp at sentientmeat.ca> wrote:
> My reason is that I'm integrating the pam-radius-auth client into a
> product and need to verify the full client functionality. I need to
> create a lasting test-bed that simulates a target deployment that
> would be using Challenge/Response authentication.
If you're just doing Unix logins, pam-radius-auth has done RADIUS challenge-response correctly since 1998... when I wrote it.
> I'm seeking a simple as possible config for freeradius server (now
> version 3.0.11) that would allow me to exercise the Challenge/Response
> path in the pam client (packaged on Ubuntu 14.04 as
The simplest thing is to re-use an existing challenge-response system. i.e. something your clients will use.
> An additional detail is that I'm using the radius pam module for the
> login and ssh services.
Then the pam-radius-auth module should work. It's worked since 1998.
> I looked at the rlm_otp module, but found the otpd codebase is
> dormant. rlm_eap may be where I end up, but the breadth of options
> there seems like I'll spend a lot of time figuring out the
rlm_otp might work. rlm_eap won't. EAP is an authentication method entirely different from normal password challenge-response.
You can't just pick random things and expect them to work. You have to *understand* what the protocols are doing.
> rlm_yubikey, rlm_securid, and rlm_smsotp require
> devices or infrastructure I don't currently have, but could obtain if
TBH, Yubikey systems are cheap. Get one, and test it. It will work.
> Of the other modules that grep for CHALLENGE,
> rlm_preprocess, rlm_example, rlm_replicate don't seem suitable. So
> rlm_cram, rlm_mschap, rlm_chap or rlm_eap seem like the best
> candidates. EAP has documentation, which the others lack.
Trying random things is entirely the wrong approach.
> Is there one that seems like the winner for ease of configuration for
If you don't understand how MS-CHAP and EAP are different from normal challenge-response, you will have a VERY bad time trying to implement your own challenge-response mechanism.
More information about the Freeradius-Users