Hi. I'd like to have freeradius authenticate users using their password (for simplicity I'm using /etc/shadow now) and TOTP through liboath. I was hoping to use freeradius to centralize this. PAM looked like the easiest way.
I'm using freeradius 2.1.12 from debian wheezy. PAM confiuration is simple: auth required pam_unix.so nullok_secure auth requisite pam_oath.so usersfile=/etc/users.oath debug On the testing machine runnning freeradius this works great for su: <root|lex>[pam.d]# su Password: [pam_oath.c:parse_cfg(118)] called. [pam_oath.c:parse_cfg(119)] flags 0 argc 3 [pam_oath.c:parse_cfg(121)] argv[0]=usersfile=/etc/users.oath [pam_oath.c:parse_cfg(121)] argv[1]=window=1 [pam_oath.c:parse_cfg(121)] argv[2]=debug [pam_oath.c:parse_cfg(122)] debug=1 [pam_oath.c:parse_cfg(123)] alwaysok=0 [pam_oath.c:parse_cfg(124)] try_first_pass=0 [pam_oath.c:parse_cfg(125)] use_first_pass=0 [pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath [pam_oath.c:parse_cfg(127)] digits=0 [pam_oath.c:parse_cfg(128)] window=1 [pam_oath.c:pam_sm_authenticate(157)] get user returned: root One-time password (OATH) for `root': After entering the passord the pam_oath module sends the challenge for OTP and then it authenticates me. SSH works well as well. However when I run freeradius I never get the challenge: pam_pass: using pamauth string <radiusd> for pam.conf lookup [pam_oath.c:parse_cfg(118)] called. [pam_oath.c:parse_cfg(119)] flags 0 argc 3 [pam_oath.c:parse_cfg(121)] argv[0]=usersfile=/etc/users.oath [pam_oath.c:parse_cfg(121)] argv[1]=window=1 [pam_oath.c:parse_cfg(121)] argv[2]=debug [pam_oath.c:parse_cfg(122)] debug=1 [pam_oath.c:parse_cfg(123)] alwaysok=0 [pam_oath.c:parse_cfg(124)] try_first_pass=0 [pam_oath.c:parse_cfg(125)] use_first_pass=0 [pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath [pam_oath.c:parse_cfg(127)] digits=0 [pam_oath.c:parse_cfg(128)] window=1 [pam_oath.c:pam_sm_authenticate(157)] get user returned: root [pam_oath.c:pam_sm_authenticate(232)] conv returned: karel [pam_oath.c:pam_sm_authenticate(248)] OTP too short: karel [pam_oath.c:pam_sm_authenticate(322)] done. [Authentication failure] pam_pass: function pam_authenticate FAILED for <root>. Reason: Authentication failure It seems it gets passed the first password even though try_first_pass nor use_first_pass are set for the pam_oath module. It looks like freeradius passes it the User-Password attribute. Is this a problem in freeradius or the pam stack or am I doing something wrong? I was expecting to get a radius access-challenge proxying the pam_oath challenge similar to how ssh takes care of this. Is there a way to get this setup working? I'd like to use the ldap passwords for users so I'm trying to avoid plaintext secrets in oath configuration. So far it seems I cannot use more then one authentication method in freeradius so pam or some custom module seem like the only two options. thank for pointers Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html