(RADIATOR) Unusual Digipass + password requirements
Mike McCauley
mikem at open.com.au
Thu Jan 20 00:29:37 CST 2005
Hi All,
Here is config file we built for one of our customers with very unusual
Digipass token and password requirements. Some of you may be interested in
this technique: it is an interesting way to increase the security level of an
existing static password based system.
The customer wanted to use both Digipass tokens _and_ LDAP for authentication.
The users password had to consist of 6 digits of Digipass tokencode (no PIN)
followed by the static password for their LDAP database, eg:
742696fred
The attached config file shows how you can use AuthBy INTERNAL hooks to adjust
the decoded password before AuthBy DIGIPASS runs, and then readjust the
decoded password before the second AuthBy runs. The result is that AuthBy
DIGIPASS only sees the first 6 characters of the submitted password, and the
last AuthBy only sees the characters after the 6th.
Cheers.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
-------------- next part --------------
# digipass.cfg
#
# Example Radiator configuration file.
#
# Simple config file, which shows how split the incoming password between
# 2 different authentication systems.
# IN this case, the users password is mad up of both a Digipass tokencode of 6 chars, followed by
# the users static password for an LDAP database.
# This example first adjusts the password so AuthBy DIGIPASS only sees the first 6 chars, and
# the final AuthBy only sees the chars after the 6th.
#
# You should consider this file to be a starting point only
# $Id: digipass.cfg,v 1.6 2004/10/11 04:56:08 mikem Exp $
Foreground
LogStdout
LogDir .
DbDir .
# User a lower trace level in production systems:
Trace 4
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
<Realm DEFAULT>
AuthByPolicy ContinueWhileAccept
# Here we adjust the decoded password so AuthBy DIGIPASS only sees the first 6
# chars, which are expected to be the Digipass tokencode.
<AuthBy INTERNAL>
DefaultResult ACCEPT
AuthHook sub { $_[0]->{DecodedPassword} = substr($_[0]->decodedPassword(), 0, 6);\
return ($main::ACCEPT);}
</AuthBy>
<AuthBy DIGIPASS>
# Adjust DBSource, DBUsername, DBAuth to suit your DB
DBSource dbi:mysql:radius
DBUsername mikem
DBAuth fred
# Select which EAP type(s) you are willing to support
EAPType One-Time-Password
</AuthBy>
# Now we readjust the decoded password so the final AuthBy only sees the characters after the 6th
# char of the original password
<AuthBy INTERNAL>
DefaultResult ACCEPT
AuthHook sub { $_[0]->{DecodedPassword} = undef; \
$_[0]->{DecodedPassword} = substr($_[0]->decodedPassword(), 6);\
return ($main::ACCEPT);}
</AuthBy>
# Now AuthBy FILE only sees the characters after the first 6 as the submitted password.
# You can use almost any AuthBy here, and it will still see only the
# chars after the 6th
<AuthBy FILE>
Filename %D/users
</AuthBy>
</Realm>
More information about the radiator
mailing list