[RADIATOR] AuthSQLYubikey

Mike McCauley mikem at open.com.au
Tue Oct 6 06:20:59 CDT 2009


Hi Jérôme,

On Tuesday 06 October 2009 06:11:10 pm Jérôme Fleury wrote:
> Hi Mike:
>
> On Mon, Oct 5, 2009 at 00:19, Mike McCauley <mikem at open.com.au> wrote:
> > Hmmm, this is a difficult problem: without some hard knowledge about the
> > length of the (optional) static password and/or the length of the string
> > sent by the key, it cant tell where the static password ends and the
> > token string starts.
> >
> > If _all_ your keys are configured for the _same_ non-standard token
> > string length, then there might be a chance to add a new Radiator config
> > parameter that specifies how long your token string is. Is that viable?
>
> This is viable, however, in my mind, for 2 factor auth you were supposed to
> use
>
> password:otp
>
> with : as a marker for separation. This character is never used in
> OTPs so you can't be wrong in detecting it.
>
> Correct me if I'm wrong.

That is not universal, but we have seen that before.
We now accept that too. See the latest patch set.


>
> > The reason it is done this way it to support the case where multiple
> > Radiator hosts access a single SQL server. If the clocks on the Radiator
> > hosts where wrong, then clock skew could cause errors in the database.
> >
> > We have now added to the AuthBy SQLYUBIKEY UpdateQuery parameter a new
> > positional parameter %5,
> > which is replaced by the current unix time on the Radiator host.
> >
> > So now you could have something like:
> > UpdateQuery update yubikeys set accessed=%5, counter=%0, low=%1, high=%2
> > where tokenId=%4
> >
> > The change is now available in the latest patch set.
>
> Nice. However I found a simpler patch. I just replaced the use of
> now() by current_timestamp() in the code, which seems a little more
> "standardized"

That sounds like a good solution. Now implemented in the latest patch set.

Cheers.

>
>
> Cheers,
>
> Jerome.



-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


More information about the radiator mailing list