FreeRadius2 and OTP
-
Hello,
I am not sure if this is the right place for this topic, so feel free to send me to the right forum or bugtracking system. I have recently installed the FreeRadius package on our testbox (2.1.2) and activated the Mobil-One-Time-Password option. Unfortunately the verifaction of any OTP failed during my tests. After digging a bit into the code of otpverify.sh I think I have found the problem.
In line 94 the OTP is generated by hashing Time+Secret+PIN. The first 6 characters of the hash value are the OTP, but the current code only uses the sixth character (cut -b 6). I have changed this to "cut -b 1-6" (see attachment) and now the verification works as desired. Is this a known problem? Has anyone used the OTP-option without modification?CU
Christian
-
Hi,
ist not a problem of the code. You probably just typed "6" on the GUI and this was the mistake. As the GUI describes and the default value shows you have to enter: "1-6" or if your OTP generator allows you can type "4-10" or something else.
So you have to be more specific on what you type on the GUI.
-
Hello,
thanx for your reply. I have used the radtest tool on the command line to test the OTP authentication as described here https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package. As password I have used the OTP that has been created by DroidOTP on my
Android phone. I don't think I have mistyped anything. Furthermore I have compared the otpverify.sh from http://motp.sourceforge.net/bash/otpverify.sh
with the version provided by the freeradius2 package. The original script uses "OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 1-6
" (in line 104)
whereas the freeradius version uses "OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 6
". In my understanding the second version is wrong, as it only
uses the 6th character instead of the first 6 characters. Therefore any authentication request via radius will be rejected. With my modifaction it works. So I think this is indeed a bug.CU
Christian
-
Hello,
thanx for your reply. I have used the radtest tool on the command line to test the OTP authentication as described here https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package. As password I have used the OTP that has been created by DroidOTP on my
Android phone. I don't think I have mistyped anything. Furthermore I have compared the otpverify.sh from http://motp.sourceforge.net/bash/otpverify.sh
with the version provided by the freeradius2 package. The original script uses "OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 1-6
" (in line 104)
whereas the freeradius version uses "OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 6
". In my understanding the second version is wrong, as it only
uses the 6th character instead of the first 6 characters. Therefore any authentication request via radius will be rejected. With my modifaction it works. So I think this is indeed a bug.CU
Christian
I try to explain it again for you.
On the GUI YOU probably typed:6
This is "wrong" because it only uses character 6 (just one character)
On the GUI you MUST type:
1-6
This uses characters 1, 2, 3, 4, 5, 6