Freeeradius package bug report - Mobile OTP Configuration



  • Environment:

    • pfSense 2.1.5-RELEASE (i386)
      freeradius package 2.1.12_1/2.2.5_3 pkg v1.6.7_3

    I have been working to configure mOTP on Freeradius for use with OpenVPN and ran into some issues. On investigation I have discovered the following bug, which I believe is caused by the recent changes of the FreeBSD package locations on their repositories.

    BUG

    The path to the freeBSD repository on line 3930 of freeradius.inc is incorrect. This causes the Bash shell to not install when mOTP is configured and mOTP is unable to provide authentication as the scripts are unable to run due to the absence of the bash shell.

    Current path:

    http://ftp-archive.freebsd.org/pub/FreeBSD/ports/uname -m/packages-8.3-release/All/bash-4.2.20.tbz"

    Corrected path:

    http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/uname -m/packages-8.3-release/All/bash-4.2.20.tbz"

    Testing & confirmation

    When configuring mOTP and checking the box Enable Mobile-One-Time-Password in the freeradius settings tab the package should install the bash shell in order to be able to run the mOTP scripts.

    The system log reports the following (expected):

    php[98455]: /pkg_edit.php: FreeRADIUS: Downloading and installing package "bash-4.2.20" to use Mobile-One-Time-Password (motp).

    After the additional required configuration I was not getting successful authentication using the command-line radtest tool from the shell when providing the OTP from my smartphone app (I checked the epoch time and other items):

    radtest fred 8f48e8 192.168.1.1 1812 radpass
    Sending Access-Request of id 72 to 192.168.1.1 port 1812
            User-Name = "fred"
            User-Password = "8f48e8"
            NAS-IP-Address = 192.168.1.1
            NAS-Port = 1812
            Message-Authenticator = 0x00000000000000000000000000000000
    rad_recv: Access-Reject packet from host 192.168.1.1 port 1812, id=72, length=20

    I did some further investigation and discovered that, even though the above log stated bash had been installed, bash was actually not on the system.

    I inspected the freeradius.inc file and ran the following command (extracted from the script)

    cd /var/db/pkg && ls | grep bash"

    which also confirms bash is not installed.

    I ran the following command (extracted from the script) which should install the bash shell from the repository:

    exec("pkg_add -r http://ftp-archive.freebsd.org/pub/FreeBSD/ports/uname -m/packages-8.3-release/All/bash-4.2.20.tbz");

    however this provided the following error:

    Error: Unable to get http://ftp-archive.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/All/bash-4.2.20.tbz: Not Found
    pkg_add: unable to fetch 'http://ftp-archive.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/All/bash-4.2.20.tbz' by URL

    Checking the FreeBSD repository uncovered that the package location is now:

    http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.3-release/All/bash-4.2.20.tbz'

    Altering the above command (from the script) to use the new path the install of the bash package was successful:

    pkg_add -r http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/uname -m/packages-8.3-release/    All/bash-4.2.20.tbz
    Fetching http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.3-release/All/bash-4.2.20.tbz… Done.

    And the test using radtest works as expected:

    [2.1.5-RELEASE][admin@pfsense.reality.local]/usr/local/pkg(193): radtest fred 7c1776 192.168.1.1 1812 radpass
    Sending Access-Request of id 37 to 192.168.1.1 port 1812
            User-Name = "fred"
            User-Password = "7c1776"
            NAS-IP-Address = 192.168.1.1
            NAS-Port = 1812
            Message-Authenticator = 0x00000000000000000000000000000000
    rad_recv: Access-Accept packet from host 192.168.1.1 port 1812, id=37, length=20

    I hope this helps.

    Thanks

    James


Log in to reply