[RADIATOR] AuthSQLYubikey

Hugh Irvine hugh at open.com.au
Thu Sep 24 17:58:09 CDT 2009 

Hello Jerome -

Many thanks for your report - I will forward it to Mike when he  
returns from overseas.

regards

Hugh


On 25 Sep 2009, at 02:21, jeje wrote:

> Hi there,
>
> I've found 2 more issues with AuthSQLYUBIKEY:
>
> - the code assumes the string sent by the key is 12 chars + 32 chars,
> otherwise the code thinks there's a static password in front
>
> This seems to be true only for "out of the box" keys, but when they
> are reprogrammed (using ykpersonalize in my case), the string can then
> be longer, up to 36 chars for the second part
>
>> From the help:
> Usage: ykpersonalize [options]
> -1        change the first configuration.  This is the default and
>          is normally used for true OTP generation.
>          In this configuration, TKTFLAG_APPEND_CR is set by default.
> -2        change the second configuration.  This is for Yubikey II  
> only
>          and is then normally used for static key generation.
>          In this configuration, TKTFLAG_APPEND_CR,  
> CFGFLAG_STATIC_TICKET,
>          CFGFLAG_STRONG_PW1, CFGFLAG_STRONG_PW2 and CFGFLAG_MAN_UPDATE
>          are set by default.
> -sFILE    save configuration to FILE instead of key.
>          (if FILE is -, send to stdout)
> -iFILE    read configuration from FILE.
>          (if FILE is -, read from stdin)
> -aXXX..   A 32 char hex value (not modhex) of a fixed AES key to use
> -cXXX..   A 12 char hex value to use as access code for programming
>          (this does NOT SET the access code, that's done with - 
> oaccess=)
> -oOPTION  change configuration option.  Possible OPTION arguments are:
>          salt=ssssssss       Salt to be used for key generation.  If
>                              none is given, a unique random one will  
> be
>                              generated.
>          fixed=xxxxxxxxxxx   The public identity of key, in MODHEX.
>                              This is 0-16 characters long.
>
> if you give a 16 chars fixed param, then it will break Radiator
> assumptions, the string generated by the yubikey will be 12+36 chars.
>
> Then Radiator thinks there's a static password for 2 factor auth, and
> the auth fails.
>
> I think this code has to be rewritten, sorry I have no clean patch to
> provide yet
>
> Second issue:
>
> I'm trying to use DBD::CSV for my tests, and when Radiator tries to
> update the database it does:
>
> Thu Sep 24 18:12:38 2009: ERR: do failed for 'update yubikeys set
> accessed=now(), counter=1, low=30090, high=253 where t
> okenId='SmVqZS5v'': Unknown function 'now'
>
> Thu Sep 24 18:12:38 2009: DEBUG: Radius::AuthSQLYUBIKEY IGNORE:
> Database update failed: jeje [jeje]
> Thu Sep 24 18:12:38 2009: DEBUG: AuthBy SQLYUBIKEY result: IGNORE,
> Database update failed
>
> And then the auth fails again...
>
> I don't think the function now() is standard SQL, probably the time
> should be done by Radiator, not assuming that the SQL frontend can do
> it lazily ;-)
>
> Cheers,
>
> Jerome.
>
>
> On Thu, May 7, 2009 at 18:00, Sami Keski-Kasari <samikk at archred.com>  
> wrote:
>> Hello,
>>
>> I am testing Yubikeys and find two issues:
>>
>> 1. Custom AuthSelect doesn't work because of this issue:
>>
>> --- Radius/AuthSQLYUBIKEY.pm-orig       2009-05-06  
>> 20:52:40.000000000 +0300
>> +++ Radius/AuthSQLYUBIKEY.pm    2009-05-06 20:53:14.000000000 +0300
>> @@ -17,7 +17,7 @@
>> use MIME::Base64;
>> use strict;
>>
>> -%Radius::AuthSQLDIGIPASS::ConfigKeywords =
>> +%Radius::AuthSQLYUBIKEY::ConfigKeywords =
>> ('AuthSelect'            =>
>>  ['string', 'SQL query that will be used to fetch Yubikey data from  
>> the
>> database. Special characters are permitted, and %0 is replaced with  
>> the
>> quoted user name. %1 is replaced with the token ID. The default  
>> works with
>> the sample yubikey database created by db_schema.sql from the YubiKey
>> Validation Server.', 0],
>>  'UpdateQuery'           =>
>>
>> 2. Replay attack recoqnition is done now only via counter in  
>> Radiator.
>> I think that it should be done with counter, timestamp_low and
>> timestamp_high.
>>
>> Now the problem is that if you are using Replay attack recoqnition  
>> and need
>> more than one otp password you have to unplug and plug yubikey  
>> everytime.
>>
>> Regards,
>> Sami
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator 
)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list