FreeRadius2 and OTP



  • Hello,

    I am not sure if this is the right place for this topic, so feel free to send me to the right forum or bugtracking system. I have recently installed the FreeRadius package on our testbox (2.1.2) and activated the Mobil-One-Time-Password option. Unfortunately the verifaction of any OTP failed during my tests. After digging a bit into the code of otpverify.sh I think I have found the problem.
    In line 94 the OTP is generated by hashing Time+Secret+PIN. The first 6 characters of the hash value are the OTP, but the current code only uses the sixth character (cut -b 6). I have changed this to "cut -b 1-6" (see attachment) and now the verification works as desired. Is this a known problem? Has anyone used the OTP-option without modification?

    CU
    Christian




  • Hi,

    ist not a problem of the code. You probably just typed "6" on the GUI and this was the mistake. As the GUI describes and the default value shows you have to enter: "1-6" or if your OTP generator allows you can type "4-10" or something else.

    So you have to be more specific on what you type on the GUI.



  • Hello,

    thanx for your reply. I have used the radtest tool on the command line to test the OTP authentication as described here https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package. As password I have used the OTP that has been created by DroidOTP on my
    Android phone. I don't think I have mistyped anything. Furthermore I have compared the otpverify.sh from http://motp.sourceforge.net/bash/otpverify.sh
    with the version provided by the freeradius2 package. The original script uses "OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 1-6" (in line 104)
    whereas the freeradius version uses "OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 6". In my understanding the second version is wrong, as it only
    uses the 6th character instead of the first 6 characters. Therefore any authentication request via radius will be rejected. With my modifaction it works. So I think this is indeed a bug.

    CU

    Christian



  • @cthurner:

    Hello,

    thanx for your reply. I have used the radtest tool on the command line to test the OTP authentication as described here https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package. As password I have used the OTP that has been created by DroidOTP on my
    Android phone. I don't think I have mistyped anything. Furthermore I have compared the otpverify.sh from http://motp.sourceforge.net/bash/otpverify.sh
    with the version provided by the freeradius2 package. The original script uses "OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 1-6" (in line 104)
    whereas the freeradius version uses "OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 6". In my understanding the second version is wrong, as it only
    uses the 6th character instead of the first 6 characters. Therefore any authentication request via radius will be rejected. With my modifaction it works. So I think this is indeed a bug.

    CU

    Christian

    I try to explain it again for you.
    On the GUI YOU probably typed:

    6

    This is "wrong" because it only uses character 6 (just one character)

    On the GUI you MUST type:

    1-6

    This uses characters 1, 2, 3, 4, 5, 6


Log in to reply