1Ubuntu FreeRadius YubiKey 2------------------------- 3 4Create and login to a fresh Ubuntu 10.04 LTS machine: 5 6------ 7vmbuilder kvm ubuntu \ 8 --dest /var/lib/libvirt/images/freeradius \ 9 --proxy http://192.168.1.2/ubuntu \ 10 --rootsize 10000 \ 11 --mem 600 \ 12 --suite lucid \ 13 --flavour virtual \ 14 --addpkg unattended-upgrades \ 15 --addpkg openssh-server \ 16 --addpkg avahi-daemon \ 17 --addpkg acpid \ 18 --ssh-key /root/.ssh/authorized_keys \ 19 --libvirt qemu:///system \ 20 --hostname freeradius \ 21 --bridge br0 \ 22 --debug 23ssh -l root freeradius.local 24------ 25 26Install and configure software : 27-------------------------------- 28 29------ 30 apt-get install build-essential wget 31 apt-get install libpam0g-dev libykclient3 libykclient-dev 32------ 33 34Install PAM module: 35 36------ 37 wget http://yubico-pam.googlecode.com/files/pam_yubico-2.4.tar.gz 38 tar xfz pam_yubico-2.4.tar.gz 39 cd pam_yubico-2.4 40 ./configure 41 make check install 42 ln -s /usr/local/lib/security/pam_yubico.so /lib/security/ 43------ 44 45Setup PAM debug log file: 46 47------ 48 touch /var/run/pam-debug.log 49 chmod go+w /var/run/pam-debug.log 50 tail -F /var/run/pam-debug.log & 51------ 52 53Install FreeRadius: 54 55------ 56 apt-get install freeradius 57 /etc/init.d/freeradius stop 58------ 59 60Next we configure FreeRadius. First add this to /etc/freeradius/users: 61 62------ 63 DEFAULT Auth-Type = pam 64------ 65 66Then comment out 'pap' and uncomment 'pam' from 67/etc/freeradius/sites-available/default. 68 69Add to the top of /etc/pam.d/radiusd: 70 71------ 72 auth sufficient pam_yubico.so id=1 debug authfile=/etc/yubikey_mapping 73------ 74 75If you want to use HMAC signing, specify the 'key=' field too, like this: 76 77------ 78 auth sufficient pam_yubico.so id=1 key=b64foo debug authfile=/etc/yubikey_mapping 79------ 80 81Create a file /etc/yubikey_mapping (ccccccccltnc is Alice's YubiKey's public ID) : 82 83------ 84 alice:ccccccccltnc 85------ 86 87Create a Unix account 'alice': XXX should not be necessary? 88 89------ 90 adduser --disabled-password alice 91------ 92 93Just press RET and finally 'y RET' on the prompts. 94 95Start radiusd: 96 97------ 98 LD_PRELOAD=/lib/libpam.so.0 freeradius -X 99------ 100 101 102Testing authentication : 103------------------------ 104 105Confirm that it works with radtest (use a real OTP from Alice's YubiKey) : 106 107------ 108 radtest alice ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef 127.0.0.1 0 testing123 109------ 110 111Output should be like this: 112 113------ 114Sending Access-Request of id 69 to 127.0.0.1 port 1812 115 User-Name = "alice" 116 User-Password = "ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef" 117 NAS-IP-Address = 127.0.1.1 118 NAS-Port = 0 119rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=20 120------ 121 122PAM debug output should be like this: 123 124------ 125[pam_yubico.c:parse_cfg(404)] called. 126[pam_yubico.c:parse_cfg(405)] flags 0 argc 3 127[pam_yubico.c:parse_cfg(407)] argv[0]=id=1 128[pam_yubico.c:parse_cfg(407)] argv[1]=debug 129[pam_yubico.c:parse_cfg(407)] argv[2]=authfile=/etc/yubikey_mapping 130[pam_yubico.c:parse_cfg(408)] id=1 131[pam_yubico.c:parse_cfg(409)] key=(null) 132[pam_yubico.c:parse_cfg(410)] debug=1 133[pam_yubico.c:parse_cfg(411)] alwaysok=0 134[pam_yubico.c:parse_cfg(412)] verbose_otp=0 135[pam_yubico.c:parse_cfg(413)] try_first_pass=0 136[pam_yubico.c:parse_cfg(414)] use_first_pass=0 137[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mapping 138[pam_yubico.c:parse_cfg(416)] ldapserver=(null) 139[pam_yubico.c:parse_cfg(417)] ldap_uri=(null) 140[pam_yubico.c:parse_cfg(418)] ldapdn=(null) 141[pam_yubico.c:parse_cfg(419)] user_attr=(null) 142[pam_yubico.c:parse_cfg(420)] yubi_attr=(null) 143[pam_yubico.c:pam_sm_authenticate(452)] get user returned: alice 144[pam_yubico.c:pam_sm_authenticate(542)] conv returned: ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef 145[pam_yubico.c:pam_sm_authenticate(558)] OTP: ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef ID: ccccccccltnc 146[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (0): Success 147[pam_yubico.c:check_user_token(117)] Authorization line: alice:ccccccccltnc 148[pam_yubico.c:check_user_token(121)] Matched user: alice 149[pam_yubico.c:check_user_token(125)] Authorization token: ccccccccltnc 150[pam_yubico.c:check_user_token(128)] Match user/token as alice/ccccccccltnc 151[pam_yubico.c:pam_sm_authenticate(625)] done. [Success] 152------ 153 154FreeRadius debug output should be like this: 155 156------ 157rad_recv: Access-Request packet from host 127.0.0.1 port 38575, id=69, length=89 158 User-Name = "alice" 159 User-Password = "ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef" 160 NAS-IP-Address = 127.0.1.1 161 NAS-Port = 0 162+- entering group authorize {...} 163++[preprocess] returns ok 164++[chap] returns noop 165++[mschap] returns noop 166[suffix] No '@' in User-Name = "alice", looking up realm NULL 167[suffix] No such realm "NULL" 168++[suffix] returns noop 169[eap] No EAP-Message, not doing EAP 170++[eap] returns noop 171[files] users: Matched entry DEFAULT at line 204 172++[files] returns ok 173++[expiration] returns noop 174++[logintime] returns noop 175Found Auth-Type = PAM 176+- entering group authenticate {...} 177pam_pass: using pamauth string <radiusd> for pam.conf lookup 178pam_pass: authentication succeeded for <alice> 179++[pam] returns ok 180+- entering group post-auth {...} 181++[exec] returns noop 182Sending Access-Accept of id 69 to 127.0.0.1 port 38575 183Finished request 0. 184Going to the next request 185Waking up in 4.9 seconds. 186Cleaning up request 0 ID 69 with timestamp +17 187Ready to process requests. 188------ 189 190Testing a OTP replay : 191---------------------- 192 193Run the command again, with the _same_ OTP : 194 195------ 196radtest alice ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef 127.0.0.1 0 testing123 197------ 198 199Then output should be like this, since the OTP was replayed: 200 201------ 202Sending Access-Request of id 32 to 127.0.0.1 port 1812 203 User-Name = "alice" 204 User-Password = "ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef" 205 NAS-IP-Address = 127.0.1.1 206 NAS-Port = 0 207rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=32, length=20 208------ 209 210PAM debug log: 211 212------ 213[pam_yubico.c:parse_cfg(404)] called. 214[pam_yubico.c:parse_cfg(405)] flags 0 argc 3 215[pam_yubico.c:parse_cfg(407)] argv[0]=id=1 216[pam_yubico.c:parse_cfg(407)] argv[1]=debug 217[pam_yubico.c:parse_cfg(407)] argv[2]=authfile=/etc/yubikey_mapping 218[pam_yubico.c:parse_cfg(408)] id=1 219[pam_yubico.c:parse_cfg(409)] key=(null) 220[pam_yubico.c:parse_cfg(410)] debug=1 221[pam_yubico.c:parse_cfg(411)] alwaysok=0 222[pam_yubico.c:parse_cfg(412)] verbose_otp=0 223[pam_yubico.c:parse_cfg(413)] try_first_pass=0 224[pam_yubico.c:parse_cfg(414)] use_first_pass=0 225[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mapping 226[pam_yubico.c:parse_cfg(416)] ldapserver=(null) 227[pam_yubico.c:parse_cfg(417)] ldap_uri=(null) 228[pam_yubico.c:parse_cfg(418)] ldapdn=(null) 229[pam_yubico.c:parse_cfg(419)] user_attr=(null) 230[pam_yubico.c:parse_cfg(420)] yubi_attr=(null) 231[pam_yubico.c:pam_sm_authenticate(452)] get user returned: alice 232[pam_yubico.c:pam_sm_authenticate(542)] conv returned: ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef 233[pam_yubico.c:pam_sm_authenticate(558)] OTP: ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef ID: ccccccccltnc 234[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (2): Yubikey OTP was replayed (REPLAYED_OTP) 235[pam_yubico.c:pam_sm_authenticate(625)] done. [Authentication failure] 236------ 237 238FreeRadius debug log: 239 240------ 241rad_recv: Access-Request packet from host 127.0.0.1 port 55170, id=32, length=89 242 User-Name = "alice" 243 User-Password = "ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef" 244 NAS-IP-Address = 127.0.1.1 245 NAS-Port = 0 246+- entering group authorize {...} 247++[preprocess] returns ok 248++[chap] returns noop 249++[mschap] returns noop 250[suffix] No '@' in User-Name = "alice", looking up realm NULL 251[suffix] No such realm "NULL" 252++[suffix] returns noop 253[eap] No EAP-Message, not doing EAP 254++[eap] returns noop 255[files] users: Matched entry DEFAULT at line 204 256++[files] returns ok 257++[expiration] returns noop 258++[logintime] returns noop 259Found Auth-Type = PAM 260+- entering group authenticate {...} 261pam_pass: using pamauth string <radiusd> for pam.conf lookup 262pam_pass: function pam_authenticate FAILED for <alice>. Reason: Permission denied 263++[pam] returns reject 264Failed to authenticate the user. 265Using Post-Auth-Type Reject 266+- entering group REJECT {...} 267[attr_filter.access_reject] expand: %{User-Name} -> alice 268 attr_filter: Matched entry DEFAULT at line 11 269++[attr_filter.access_reject] returns updated 270Delaying reject of request 1 for 1 seconds 271Going to the next request 272Waking up in 0.5 seconds. 273Sending delayed reject for request 1 274Sending Access-Reject of id 32 to 127.0.0.1 port 55170 275Waking up in 4.9 seconds. 276Cleaning up request 1 ID 32 with timestamp +66 277Ready to process requests. 278------ 279