(RADIATOR) Unusual Digipass + password requirements

Mike McCauley mikem at open.com.au
Thu Jan 20 00:29:37 CST 2005


Hi All,

Here is config file we built for one of our customers with very unusual 
Digipass token and password requirements. Some of you may be interested in 
this technique: it is an interesting way to increase the security level of an 
existing static password based system.

The customer wanted to use both Digipass tokens _and_ LDAP for authentication. 
The users password had to consist of 6 digits of Digipass tokencode (no PIN) 
followed by the static password for their LDAP database, eg:

742696fred

The attached config file shows how you can use AuthBy INTERNAL hooks to adjust 
the decoded password before AuthBy DIGIPASS runs, and then readjust the 
decoded password before the second AuthBy runs. The result is that AuthBy  
DIGIPASS only sees the first 6 characters of the submitted password, and the 
last AuthBy only sees the characters after the 6th.

Cheers.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.
-------------- next part --------------
# digipass.cfg
#
# Example Radiator configuration file.
#
# Simple config file, which shows how split the incoming password between 
# 2 different authentication systems.
# IN this case, the users password is mad up of both a Digipass tokencode of 6 chars, followed by
# the users static password for an LDAP database.
# This example first adjusts the password so AuthBy DIGIPASS only sees the first 6 chars, and 
# the final AuthBy only sees the chars after the 6th.
#
# You should consider this file to be a starting point only
# $Id: digipass.cfg,v 1.6 2004/10/11 04:56:08 mikem Exp $

Foreground
LogStdout
LogDir		.
DbDir		.
# User a lower trace level in production systems:
Trace 		4

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
	Secret	mysecret
	DupInterval 0
</Client>

<Realm DEFAULT>
        AuthByPolicy ContinueWhileAccept
	
	# Here we adjust the decoded password so AuthBy DIGIPASS only sees the first 6 
	# chars, which are expected to be the Digipass tokencode.
	<AuthBy INTERNAL>
	       DefaultResult	ACCEPT
	       AuthHook sub { $_[0]->{DecodedPassword} = substr($_[0]->decodedPassword(), 0, 6);\
			return ($main::ACCEPT);}
	</AuthBy>

	<AuthBy DIGIPASS>
		# Adjust DBSource, DBUsername, DBAuth to suit your DB
		DBSource	dbi:mysql:radius
		DBUsername	mikem
		DBAuth		fred
	
		# Select which EAP type(s) you are willing to support	
		EAPType One-Time-Password

	</AuthBy>

	# Now we readjust the decoded password so the final AuthBy only sees the characters after the 6th
	# char of the original password
       <AuthBy INTERNAL>
	       DefaultResult	ACCEPT
	       AuthHook sub { $_[0]->{DecodedPassword} = undef; \
			$_[0]->{DecodedPassword} = substr($_[0]->decodedPassword(), 6);\
			return ($main::ACCEPT);}
       </AuthBy>

       # Now AuthBy FILE only sees the characters after the first 6 as the submitted password.
       # You can use almost any AuthBy here, and it will still see only the
       # chars after the 6th
       <AuthBy FILE>
	       Filename %D/users
       </AuthBy>
      
</Realm>



More information about the radiator mailing list