Freeradius 3.X with motp module
Alan DeKok
aland at deployingradius.com
Thu Jul 1 18:43:51 CEST 2021
On Jul 1, 2021, at 11:10 AM, Jonathan C <raidenc at gmail.com> wrote:
> It seems the 3.X version of freeradius doesn't know the output "ACCEPT" of
> the otpverify.sh script but I'm not sure and I don't know what i'm supposed
> to do to make it work like it's supposed to do.
See raddb/mods-available/exec and raddb/mods-available/echo for documentation on the exec scripts.
In short, you can't just return random strings and have the server do magic things with the string.
> Below the full output of debug :
>
> FreeRADIUS Version 3.0.17
You should upgrade to the latest version. See http://packages.networkradius.com
>> # Loading module "motp" from file /etc/freeradius/3.0/radiusd.conf
>> exec motp {
>> wait = yes
>> program = "/usr/sbin/otpverify.sh %{User-Name} %{User-Password}
>> %{reply:Secret} %{reply:PIN} %{reply:Offset}"
>> input_pairs = "request"
>> output_pairs = "reply"
>> shell_escape = yes
>> }
Read the documentation. You've configured the module to read the output of the program, and expect to parse attributes. Then, those attributes are placed into the reply.
You should probably also not put passwords onto the command-line. Other users on the same system may be able to read them.
>> ...
>> (0) motp: ERROR: Failed parsing output from: /usr/sbin/otpverify.sh
>> %{User-Name} %{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}:
>> Expecting operator
Exactly. It expects to read something like
Framed-IP-Address := 1.2.3.4
>> (0) motp: ERROR: Program returned code (0) and output 'ACCEPT'
That's not an attribute, and it doesn't have an operator, and doesn't have a value.
This never worked in v2, either. See modules/echo in v2. The documentation there is essentially the same as for v3.
If you want the script to cause authentication to succeed or fail, then read the documentation, and have the script return an appropriate return code.
Alan DeKok.
More information about the Freeradius-Users
mailing list