aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
authorAlexander Wilke <nachtfalkeaw@web.de>2012-02-12 15:10:10 +0100
committerAlexander Wilke <nachtfalkeaw@web.de>2012-02-12 15:10:10 +0100
commit64686568d9a18c9c1331b506cb99bebf43adbb4f (patch)
tree8a0b0984a44e55e0da660a15d61d9f78d7c06c1d /config
parent4040d9861d0ec3ddef3666a450f2f082acf81c8d (diff)
downloadpfsense-packages-64686568d9a18c9c1331b506cb99bebf43adbb4f.tar.gz
pfsense-packages-64686568d9a18c9c1331b506cb99bebf43adbb4f.tar.bz2
pfsense-packages-64686568d9a18c9c1331b506cb99bebf43adbb4f.zip
improved mobile-one-time-password handling
Diffstat (limited to 'config')
-rw-r--r--config/freeradius2/freeradius.inc109
1 files changed, 104 insertions, 5 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index 1af36665..68a7b3c7 100644
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -124,6 +124,10 @@ function freeradius_install_command() {
// We run this here just to suppress some warnings on syslog if file doesn't exist
freeradius_authorizedmacs_resync();
+ // These two functions create the module and the dictionary entry for Mobile-One-Time-Password
+ freeradius_dictionary_resync();
+ freeradius_modulesmotp_resync();
+
// Initialize some config files - the functions below call other functions
freeradius_sqlconf_resync();
freeradius_eapconf_resync();
@@ -477,7 +481,7 @@ if (is_array($arrusers) && !empty($arrusers)) {
// if otp is enabled we need to set Auth-Type to accept because password will be checked when the otp script gets executed in reply-item list
else {
- $varuserscheckitem = '"' . $varusersusername . '"' . " Auth-Type = Accept";
+ $varuserscheckitem = '"' . $varusersusername . '"' . " Auth-Type = motp";
}
// Add additional CHECK-ITEMS here. Different formatting in "users" file needed.
@@ -505,7 +509,7 @@ if (is_array($arrusers) && !empty($arrusers)) {
// this is the part for mobile otp
if ($users['varusersmotpenable'] == 'on') {
- $varusersreplyitem .= 'Exec-Program-Wait = "/usr/local/bin/bash /usr/local/bin/otpverify.sh %{User-Name} %{User-Password} ' . "$varusersmotpinitsecret " . "$varusersmotppin " . "$varusersmotpoffset" . '"';
+ $varusersreplyitem .= "MOTP-Init-Secret = $varusersmotpinitsecret," . "\n\tMOTP-PIN = $varusersmotppin," . "\n\tMOTP-Offset = $varusersmotpoffset";
}
else {
$varusersreplyitem .= '';
@@ -1663,6 +1667,12 @@ authenticate {
}
#
+ # Mobile-One-Time-Password (MOTP) authentication.
+ Auth-Type MOTP {
+ motp
+ }
+
+ #
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
@@ -3973,14 +3983,14 @@ fi
# account locked?
if [ "`cat /var/log/motp/users/\$USERNAME 2>/dev/null`" == "8" ]; then
echo "FAIL"
- logger -f /var/log/system.log "FreeRADIUS: Authentication failed! Mobile-One-Time-Password incorrect or expired!"
+ logger -f /var/log/system.log "FreeRADIUS: Authentication failed! Too many wrong password attempts. User is locked! To unlock delete /var/log/motp/users/\$USERNAME"
exit 13
fi
I=0
-EPOCHTIME=`expr \$EPOCHTIME - 18`
+EPOCHTIME=`expr \$EPOCHTIME - 2`
EPOCHTIME=`expr \$EPOCHTIME + \$OFFSET`
-while [ \$I -lt 36 ] ; do # 3 minutes before and after
+while [ \$I -lt 4 ] ; do # 20 seconds before and after
OTP=`printf \$EPOCHTIME\$SECRET\$PIN|checksum|cut -b 1-6`
if [ "\$OTP" = "\$PASSWD" ] ; then
touch /var/log/motp/cache/\$OTP || { echo "FAIL! Need write-access to /var/log/motp";logger -f /var/log/system.log "FreeRADIUS: Mobile-One-Time-Password - need write-access to /var/log/motp/cache"; exit 17; }
@@ -4017,4 +4027,93 @@ EOD;
}
+function freeradius_modulesmotp_resync() {
+ global $config;
+ $conf = '';
+
+ $conf .= <<<EOD
+exec motp {
+ wait = yes
+ program = "/usr/local/bin/bash /usr/local/bin/otpverify.sh %{User-Name} %{User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}"
+ input_pairs = reply
+ #output_pairs = config
+ }
+
+
+EOD;
+
+ $filename = RADDB . '/modules/motp';
+ conf_mount_rw();
+ file_put_contents($filename, $conf);
+ chmod($filename, 0640);
+ conf_mount_ro();
+
+}
+
+function freeradius_dictionary_resync() {
+ global $config;
+ $conf = '';
+
+ $conf .= <<<EOD
+
+#
+# This is the master dictionary file, which references the
+# pre-defined dictionary files included with the server.
+#
+# Any new/changed attributes MUST be placed in this file, as
+# the pre-defined dictionaries SHOULD NOT be edited.
+#
+# \$Id\$
+#
+
+#
+# The DHCP dictionary is used only when the server is built with
+# "configure --with-dhcp". It is not (and should not) be used in
+# other situations. If you are running just a RADIUS server, this
+# line can be deleted. If you are using DHCP, the following line
+# should be uncommented.
+#
+# Ideally, the "configure" process should automatically enable this
+# dictionary, but we don't yet do that.
+#
+#\$INCLUDE /usr/local/dictionary.dhcp
+
+#
+# The filename given here should be an absolute path.
+#
+\$INCLUDE /usr/local/share/freeradius/dictionary
+
+#
+# Place additional attributes or \$INCLUDEs here. They will
+# over-ride the definitions in the pre-defined dictionaries.
+#
+# See the 'man' page for 'dictionary' for information on
+# the format of the dictionary files.
+
+#
+# If you want to add entries to the dictionary file,
+# which are NOT going to be placed in a RADIUS packet,
+# add them here. The numbers you pick should be between
+# 3000 and 4000.
+#
+
+#ATTRIBUTE My-Local-String 3000 string
+#ATTRIBUTE My-Local-IPAddr 3001 ipaddr
+#ATTRIBUTE My-Local-Integer 3002 integer
+
+### Attributes for mobile-One-Time-Password
+ATTRIBUTE MOTP-Init-Secret 900 string
+ATTRIBUTE MOTP-PIN 901 string
+ATTRIBUTE MOTP-Offset 902 string
+
+EOD;
+
+ $filename = RADDB . '/dictionary';
+ conf_mount_rw();
+ file_put_contents($filename, $conf);
+ chmod($filename, 0640);
+ conf_mount_ro();
+
+}
+
?> \ No newline at end of file