From 64686568d9a18c9c1331b506cb99bebf43adbb4f Mon Sep 17 00:00:00 2001 From: Alexander Wilke Date: Sun, 12 Feb 2012 15:10:10 +0100 Subject: improved mobile-one-time-password handling --- config/freeradius2/freeradius.inc | 109 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 104 insertions(+), 5 deletions(-) (limited to 'config/freeradius2/freeradius.inc') diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 1af36665..68a7b3c7 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -124,6 +124,10 @@ function freeradius_install_command() { // We run this here just to suppress some warnings on syslog if file doesn't exist freeradius_authorizedmacs_resync(); + // These two functions create the module and the dictionary entry for Mobile-One-Time-Password + freeradius_dictionary_resync(); + freeradius_modulesmotp_resync(); + // Initialize some config files - the functions below call other functions freeradius_sqlconf_resync(); freeradius_eapconf_resync(); @@ -477,7 +481,7 @@ if (is_array($arrusers) && !empty($arrusers)) { // if otp is enabled we need to set Auth-Type to accept because password will be checked when the otp script gets executed in reply-item list else { - $varuserscheckitem = '"' . $varusersusername . '"' . " Auth-Type = Accept"; + $varuserscheckitem = '"' . $varusersusername . '"' . " Auth-Type = motp"; } // Add additional CHECK-ITEMS here. Different formatting in "users" file needed. @@ -505,7 +509,7 @@ if (is_array($arrusers) && !empty($arrusers)) { // this is the part for mobile otp if ($users['varusersmotpenable'] == 'on') { - $varusersreplyitem .= 'Exec-Program-Wait = "/usr/local/bin/bash /usr/local/bin/otpverify.sh %{User-Name} %{User-Password} ' . "$varusersmotpinitsecret " . "$varusersmotppin " . "$varusersmotpoffset" . '"'; + $varusersreplyitem .= "MOTP-Init-Secret = $varusersmotpinitsecret," . "\n\tMOTP-PIN = $varusersmotppin," . "\n\tMOTP-Offset = $varusersmotpoffset"; } else { $varusersreplyitem .= ''; @@ -1662,6 +1666,12 @@ authenticate { mschap } + # + # Mobile-One-Time-Password (MOTP) authentication. + Auth-Type MOTP { + motp + } + # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' @@ -3973,14 +3983,14 @@ fi # account locked? if [ "`cat /var/log/motp/users/\$USERNAME 2>/dev/null`" == "8" ]; then echo "FAIL" - logger -f /var/log/system.log "FreeRADIUS: Authentication failed! Mobile-One-Time-Password incorrect or expired!" + logger -f /var/log/system.log "FreeRADIUS: Authentication failed! Too many wrong password attempts. User is locked! To unlock delete /var/log/motp/users/\$USERNAME" exit 13 fi I=0 -EPOCHTIME=`expr \$EPOCHTIME - 18` +EPOCHTIME=`expr \$EPOCHTIME - 2` EPOCHTIME=`expr \$EPOCHTIME + \$OFFSET` -while [ \$I -lt 36 ] ; do # 3 minutes before and after +while [ \$I -lt 4 ] ; do # 20 seconds before and after OTP=`printf \$EPOCHTIME\$SECRET\$PIN|checksum|cut -b 1-6` if [ "\$OTP" = "\$PASSWD" ] ; then touch /var/log/motp/cache/\$OTP || { echo "FAIL! Need write-access to /var/log/motp";logger -f /var/log/system.log "FreeRADIUS: Mobile-One-Time-Password - need write-access to /var/log/motp/cache"; exit 17; } @@ -4017,4 +4027,93 @@ EOD; } +function freeradius_modulesmotp_resync() { + global $config; + $conf = ''; + + $conf .= << \ No newline at end of file -- cgit v1.2.3