freeradius-server icon indicating copy to clipboard operation
freeradius-server copied to clipboard

Published 20 hours ago verified publisher icon FreeRADIUS

EAP-GTC does not include User-Password in any of the VP lists, hence python modules can't do anything with it

Open alejandro-perez opened this issue 7 years ago • 4 comments

Issue type

  • Defect - Non compliance with a standards document, or incorrect API usage.

Defect

Documentation in mods-enabled/eap say that

                #  The plain-text response which comes back
                #  is put into a User-Password attribute,
                #  and passed to another module for
                #  authentication.  This allows the EAP-GTC
                #  response to be checked against plain-text,
                #  or crypt'd passwords.

However, User-Password attribute is not put in any of the VPS lists (request, reply, config, proxy...). Hence, modules written in languages such as Python or Perl cannot access to it.

How to reproduce the issue

  1. Configure EAP-TTLS with GTC as the inner method.
  2. Use the example Python (with the pass_all_vps argument) or Perl modules to check the VP lists.
  3. User-Password is not there.

What happens is that rlm_eap_gtc.c is setting the VP in request->password, but is not adding it to request->packet or request->config. This is not an issue if you want to implement your own C module, as you have access to the whole request structure. However, if you want to perform authentication using Python/Perl/... then you cannot get the value.

I guess it could be added also to request->config or request->packet. What do you think? If you agree I can easily create a PR with the functionality.

alejandro-perez avatar Jul 31 '18 08:07 alejandro-perez

Just add it to the config list. That's probably the best thing for 3.0.

alandekok avatar Jul 31 '18 13:07 alandekok

Yes, right. Although I still could not modify it. What I want to achieve is to implement a 2-factor authentication using TOTP. I want to do something similar to what rlm_yubikey does (using the password to transport PWD+OTP_CODE, validating the code, and rewriting the PWD to restore it to the original value, so the authentication process works as it should). But maybe I MUST write a C module rather than a python one if for making it work I need to patch FR and that patch is not going to be useful to anyone but me.

alejandro-perez avatar Jul 31 '18 13:07 alejandro-perez

@alejandro-perez I am trying to implement something similar, using python to authenticate. How were you able to access the User-Password? alandekok suggested adding it to the config list, how is this done? Thanks.

gm3197 avatar Jul 04 '21 15:07 gm3197

@gm3197 sorry I was on leave and I couldn't answer.

Just make sure you enable the pass_all_vps_dict option, so you get all the VPs lists. I recommend you to enable the example python module that will dump all the VPs in the log output so you can check in what stage (e.g. authorize or post-auth) and list (e.g. request, config, etc.) is the information you are looking for.

IIRC you get the User-Password attribute in the request list during the authenticate stage.

alejandro-perez avatar Jul 17 '21 16:07 alejandro-perez