Freeeradius package bug report - Mobile OTP Configuration

Grandmaster Wierdo

Environment:

• pfSense 2.1.5-RELEASE (i386)
  freeradius package 2.1.12_1/2.2.5_3 pkg v1.6.7_3

I have been working to configure mOTP on Freeradius for use with OpenVPN and ran into some issues. On investigation I have discovered the following bug, which I believe is caused by the recent changes of the FreeBSD package locations on their repositories.

BUG

The path to the freeBSD repository on line 3930 of freeradius.inc is incorrect. This causes the Bash shell to not install when mOTP is configured and mOTP is unable to provide authentication as the scripts are unable to run due to the absence of the bash shell.

Current path:

http://ftp-archive.freebsd.org/pub/FreeBSD/ports/uname -m/packages-8.3-release/All/bash-4.2.20.tbz"

Corrected path:

http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/uname -m/packages-8.3-release/All/bash-4.2.20.tbz"

Testing & confirmation

When configuring mOTP and checking the box Enable Mobile-One-Time-Password in the freeradius settings tab the package should install the bash shell in order to be able to run the mOTP scripts.

The system log reports the following (expected):

php[98455]: /pkg_edit.php: FreeRADIUS: Downloading and installing package "bash-4.2.20" to use Mobile-One-Time-Password (motp).

After the additional required configuration I was not getting successful authentication using the command-line radtest tool from the shell when providing the OTP from my smartphone app (I checked the epoch time and other items):

radtest fred 8f48e8 192.168.1.1 1812 radpass
Sending Access-Request of id 72 to 192.168.1.1 port 1812
        User-Name = "fred"
        User-Password = "8f48e8"
        NAS-IP-Address = 192.168.1.1
        NAS-Port = 1812
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 192.168.1.1 port 1812, id=72, length=20

I did some further investigation and discovered that, even though the above log stated bash had been installed, bash was actually not on the system.

I inspected the freeradius.inc file and ran the following command (extracted from the script)

cd /var/db/pkg && ls | grep bash"

which also confirms bash is not installed.

I ran the following command (extracted from the script) which should install the bash shell from the repository:

exec("pkg_add -r http://ftp-archive.freebsd.org/pub/FreeBSD/ports/uname -m/packages-8.3-release/All/bash-4.2.20.tbz");

however this provided the following error:

Error: Unable to get http://ftp-archive.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/All/bash-4.2.20.tbz: Not Found
pkg_add: unable to fetch 'http://ftp-archive.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/All/bash-4.2.20.tbz' by URL

Checking the FreeBSD repository uncovered that the package location is now:

http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.3-release/All/bash-4.2.20.tbz'

Altering the above command (from the script) to use the new path the install of the bash package was successful:

pkg_add -r http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/uname -m/packages-8.3-release/    All/bash-4.2.20.tbz
Fetching http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.3-release/All/bash-4.2.20.tbz… Done.

And the test using radtest works as expected:

[2.1.5-RELEASE][admin@pfsense.reality.local]/usr/local/pkg(193): radtest fred 7c1776 192.168.1.1 1812 radpass
Sending Access-Request of id 37 to 192.168.1.1 port 1812
        User-Name = "fred"
        User-Password = "7c1776"
        NAS-IP-Address = 192.168.1.1
        NAS-Port = 1812
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.1.1 port 1812, id=37, length=20

I hope this helps.

Thanks

James