Freeradius, mOTP and bash
I'm stuck at setting up an appliance with pfsense. I tried the same procedure on 2.1. amd64, 2.1 i386, 2.1.1. amd64 - always live install CD.
After installing the base system and setting up the two basic NICs I try to install the freeradius2 package, enable mOTP and authenticate against it. When enabling mOTP in the freeradius settings, the follwing is written to the syslog:
Apr 3 20:46:55 pfSense php: /pkg_edit.php: FreeRADIUS: Downloading and installing package "bash-4.2.20" to use Mobile-One-Time-Password (motp). Apr 3 20:48:10 pfSense php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?' Apr 3 20:48:10 pfSense php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
If i change anything else, for example adding an interface to freeradius, it tries to install bash again:
Apr 3 20:48:51 pfSense check_reload_status: Syncing firewall Apr 3 20:48:51 pfSense php: /pkg_edit.php: FreeRADIUS: Downloading and installing package "bash-4.2.20" to use Mobile-One-Time-Password (motp). Apr 3 20:50:06 pfSense php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
That's where I started thinking.. So I ssh'd into the box and tried a manual pkg_add -r bash, which leads to:
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/bash.tbz... Done. pkg_add: warning: package 'bash-4.2.20' requires 'libiconv-1.13.1_2', but 'libiconv-1.14_1' is installed pkg_add: warning: package 'bash-4.2.20' requires 'gettext-0.18.1.1', but 'gettext-0.18.3' is installed
This is the 2.1-RELEASE 64bit - example.
i can't remember that i ran into this before. Is it some stupid fault on my behalf or is something entirely in the package-structure/dependencies?
Thanks for your time!
today I tried the 2.1.1 release of pfSense, did a complete install with the symmetric multiprocessor kernel, configured my Interfaces and ran into the same error again. Seems I won't be able to use mOTP on my install. Anybody got a clue what to do?
the freeradius motp features is based on a script - modified for pfsense - from http://motp.sourceforge.net/
The script is written for /bin/bash but this is not the default shell for pfsense so you need an additional package "bash".
So there are two possibilities:
1.) Modify the function "function freeradius_motp_resync()" in freeradius.inc starting on line 3897
2.) Rewrite the motp script from /bin/bash to work on the pfsense default shell (recommended)
There is a check on this part - if someone enabled mOTP feature on GUI the the package checks if bash is installed but it only checks on a specific version. If it ist not installed it installs bash. If it is installed and mOTP is still enabled it skips the installation.
If you disabled mOTP bash will be uninstalled.
So bash does not come with the freeradius2 package but it installs later if mOTP is enabled. This is for sure not an elegant solution.
PS: if you download bash manually then you can try to just comment out the lines on feeradius.inc which do the check and installation of bash package.