FreeRadius using PGP to authenticate users
(Moderators: sorry I first sent this email with the wrong email address) Hi list, I'm curious about the possibility to use PGP keys to authenticate users via a challenge. I'm using an LDAP database to store my users information, and this is working great with a simple login/password scheme for the moment. However, I would really like to be able to authenticate them using a random string which would be encrypted using their public key, and they would just have to decipher it and they send back the string. I'm barely understanding if EAP could help on that (all documentation I find is evasive about EAP when not related to 802.1x)... Could any of you tell me if this would be possible with FreeRADIUS as it is now ? Would I have to modify its code ? Would EAP really help ? Thanks in advance for your answers, and please excuse my question if it is stupid, I'm totally new to RADIUS (I read Jonathan Hassel book, but it doesn't help on that particular subject). -- Alain Perry signature.asc Description: This is a digitally signed message part
Re: FreeRadius using PGP to authenticate users
Alain Perry [EMAIL PROTECTED] wrote: I'm curious about the possibility to use PGP keys to authenticate users via a challenge. I'm using an LDAP database to store my users information, and this is working great with a simple login/password scheme for the moment. However, I would really like to be able to authenticate them using a random string which would be encrypted using their public key, and they would just have to decipher it and they send back the string. What software exists on the client side to do this? If the answer is none, there isn't much point in doing it. I'm barely understanding if EAP could help on that (all documentation I find is evasive about EAP when not related to 802.1x)... EAP started off as part of PPP. It's used elsewhere now. To do this, you could use EAP-GTC, but few clients implement it as-is. It's usually part of EAP-TTLS or PEAP. Could any of you tell me if this would be possible with FreeRADIUS as it is now ? Would I have to modify its code ? Would EAP really help ? If you're doing wireless, use EAP. If not, don't. FreeRADIUS can do challenge-response fairly easily, but you will have to write code to decide what to use for a challenge, and how to verify the response. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius using PGP to authenticate users
What software exists on the client side to do this? If the answer is none, there isn't much point in doing it. The answer is none, but I'm planning on writing it... EAP started off as part of PPP. It's used elsewhere now. That I understood. To do this, you could use EAP-GTC, but few clients implement it as-is. It's usually part of EAP-TTLS or PEAP. The only radius software I'm going to use is freeRADIUS and the one I'll write, so if FreeRADIUS does it, that's good enough for me :-) If you're doing wireless, use EAP. If not, don't. Well, I'm doing wireless, but I'd like not to use a login/password scheme. FreeRADIUS can do challenge-response fairly easily, but you will have to write code to decide what to use for a challenge, and how to verify the response. Is this feasable as a module, or do I have to actually modify FreeRADIUS code to do it ? Thank you for your answers, -- Alain Perry signature.asc Description: This is a digitally signed message part
Re: FreeRadius using PGP to authenticate users
Alain Perry [EMAIL PROTECTED] wrote: FreeRADIUS can do challenge-response fairly easily, but you will have to write code to decide what to use for a challenge, and how to verify the response. Is this feasable as a module, or do I have to actually modify FreeRADIUS code to do it ? You'll have to add a module. Maybe hacking the rlm_eap_gtc module will work. You won't have to touch the server core. (i.e. anything outside of the module). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius using PGP to authenticate users
Hi Alan. Alain Perry pravi: FreeRADIUS can do challenge-response fairly easily, but you will have to write code to decide what to use for a challenge, and how to verify the response. Is this feasable as a module, or do I have to actually modify FreeRADIUS code to do it ? A lot of freeRadius functionality is in modules, you'll have to look into ./src/modules/rlm_eap/types and create something like rlm_eap_gpg. This would be a directory for EAP_GPG submodule. Also, for development the freeradius-devel m.l. is available. But don't ask questions until you've studied at least one rlm_eap_* (I think md5 is the closest thing to what you want) and know some basic concepts. AFAIK Freeradius is very easy to code for. Code is well structured and clear. You'll have more fun ;-] with an EAP client. Your best (fastest) bet is to get it working with Xsupplicant. -- Good luck, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
