Archive for September, 2016

18
Sep

freeradius - OTP

   Posted by: admin    in Mẹo vặt của hiếu râu

# vi /var/www/html/OTP/pam.php

<?php

echo “:-(”;    // :-)

file_put_contents(’/tmp/pam.txt’,date(’Y-m-d D H:i:s ‘).json_encode($_GET).”\n”,FILE_APPEND);

?>

#yum install freeradius freeradius-utils freeradius-perl perl-libwww-perl
#perl -MCPAN -e shell
>install LWP
#radius -X
#radtest  hieu 2234 127.0.0.1 123 testing123
    Create a new file ‘/etc/freeradius/sites-available/linotp’ with the following content:

    authorize {
    
    #normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
            preprocess
    
            #  If you are using multiple kinds of realms, you probably
            #  want to set "ignore_null = yes" for all of them.
            #  Otherwise, when the first style of realm doesn't match,
            #  the other styles won't be checked.
    
    #allows a list of realm (see '/etc/freeradius/modules/realm')
            IPASS
    
    #understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
            suffix
    
    #understands USER\REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
            ntdomain
    
            #  Read the 'users' file to learn about special configuration which should be applied for
            # certain users (see '/etc/freeradius/modules/files')
            files
    
            # allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
            expiration
    
            # allows to define valid service-times (see '/etc/freeradius/modules/logintime')
            logintime
    
            # We got no radius_shortname_map!
            pap
    }
    
    #here the linotp perl module is called for further processing
    authenticate {
            perl
    }
  • and activate the configuration by softlinking it in to ‘/etc/freeradius/sites-enabled’
  • ln -s ../sites-available/linotp /etc/freeradius/sites-enabled'
#less example.pl
#
# If you are using DBI and do some queries to DB, please be sure to
# use the CLONE function to initialize the DBI connection to DB.
#
use strict;
use LWP;
# use …
# This is very important ! Without this script will not get the filled hashesh from main.
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use Data::Dumper;
# This is hash wich hold original request from radius
#my %RAD_REQUEST;
# In this hash you add values that will be returned to NAS.
#my %RAD_REPLY;
#This is for check items
#my %RAD_CHECK;
sub authenticate {
# For debugging purposes only
#       &log_request_attributes;
my $ua = LWP::UserAgent->new();
my $req = HTTP::Request->new( GET =>  “http://localhost/OTP/pam.php?user=” .
$RAD_REQUEST{’User-Name’} . “&pass=” . $RAD_REQUEST{’User-Password’} . “&client=” . $RAD_REQUEST{’NAS-IP-Address’} .
“&clientId=” . $RAD_REQUEST{’NAS-Identifier’} .
“&realm=” . $RAD_REQUEST{’Calling-Station-Id’} );
my $response = $ua->request( $req );
die “Error at OTP/pam.php\n “, $response->status_line, “\n Aborting”
unless $response->is_success;
if($response->content =~ m/:\-\)/i) {
return RLM_MODULE_OK;
} else {
$RAD_REPLY{’Reply-Message’} = “Wrong OTP - access denied !”;
return RLM_MODULE_REJECT;
}
}
#vi users
lameuser        Auth-Type := Reject
Reply-Message = “Your account has been disabled.”
DEFAULT         Auth-Type := perl
DB
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET NAMES utf8 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE=’NO_AUTO_VALUE_ON_ZERO’ */;
– Dumping database structure for OTP
CREATE DATABASE IF NOT EXISTS `OTP` /*!40100 DEFAULT CHARACTER SET utf8 */;
USE `OTP`;
– Dumping structure for table OTP.tbl_cache
CREATE TABLE IF NOT EXISTS `tbl_cache` (
`Username` varchar(50) DEFAULT NULL,
`Code` varchar(100) DEFAULT NULL,
`Dt` datetime DEFAULT NULL,
`LastUpdate` int(11) DEFAULT NULL,
`Server` varchar(50) DEFAULT NULL,
UNIQUE KEY `Index 1` (`Server`,`Username`),
KEY `Index 2` (`LastUpdate`,`Code`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
– Data exporting was unselected.
– Dumping structure for table OTP.tbl_users
CREATE TABLE IF NOT EXISTS `tbl_users` (
`id` int(10) NOT NULL AUTO_INCREMENT,
`Username` varchar(50) NOT NULL,
`Code` varchar(50) NOT NULL,
`Pin` varchar(50) NOT NULL,
`Phone` varchar(50) DEFAULT NULL,
PRIMARY KEY (`id`),
KEY `Index 2` (`Username`)
) ENGINE=InnoDB AUTO_INCREMENT=77 DEFAULT CHARSET=utf8;
– Data exporting was unselected.
/*!40101 SET SQL_MODE=IFNULL(@OLD_SQL_MODE, ”) */;
/*!40014 SET FOREIGN_KEY_CHECKS=IF(@OLD_FOREIGN_KEY_CHECKS IS NULL, 1, @OLD_FOREIGN_KEY_CHECKS) */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
=========CENTOS 7==============
cp default otp
remove eap lines, remove eap module
replace sessions authorize/authenticate in sites-enabled/otp with following lines
authorize {
preprocess
files
expiration
logintime
}
authenticate {
perl
}
#users
#
lameuser        Auth-Type := Reject
Reply-Message = “Your account has been disabled.”
DEFAULT         Auth-Type := perl
#
#vi example.pl above
===============
https://github.com/multiOTP/radius-class-php
http://wiki.freeradius.org/modules/Rlm_perl