Archive for September 18th, 2016
18
Sep
freeradius - OTP
# vi /var/www/html/OTP/pam.php
<?php
echo “:-(”; // 
file_put_contents(’/tmp/pam.txt’,date(’Y-m-d D H:i:s ‘).json_encode($_GET).”\n”,FILE_APPEND);
?>
#yum install freeradius freeradius-utils freeradius-perl perl-libwww-perl
#perl -MCPAN -e shell
#perl -MCPAN -e shell
>install LWP
#radius -X
#radtest hieu 2234 127.0.0.1 123 testing123
- Create a new file ‘/etc/freeradius/sites-available/linotp’ with the following content:
authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USER\REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
# Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}
ln -s ../sites-available/linotp /etc/freeradius/sites-enabled'
#less example.pl
#
# If you are using DBI and do some queries to DB, please be sure to
# use the CLONE function to initialize the DBI connection to DB.
#
use strict;
use LWP;
# use …
# This is very important ! Without this script will not get the filled hashesh from main.
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use Data::Dumper;
# This is hash wich hold original request from radius
#my %RAD_REQUEST;
# In this hash you add values that will be returned to NAS.
#my %RAD_REPLY;
#This is for check items
#my %RAD_CHECK;
sub authenticate {
# For debugging purposes only
# &log_request_attributes;
my $ua = LWP::UserAgent->new();
my $req = HTTP::Request->new( GET => “http://localhost/OTP/pam.php?user=” .
$RAD_REQUEST{’User-Name’} . “&pass=” . $RAD_REQUEST{’User-Password’} . “&client=” . $RAD_REQUEST{’NAS-IP-Address’} .
“&clientId=” . $RAD_REQUEST{’NAS-Identifier’} .
“&realm=” . $RAD_REQUEST{’Calling-Station-Id’} );
my $response = $ua->request( $req );
die “Error at OTP/pam.php\n “, $response->status_line, “\n Aborting”
unless $response->is_success;
if($response->content =~ m/:\-\)/i) {
return RLM_MODULE_OK;
} else {
$RAD_REPLY{’Reply-Message’} = “Wrong OTP - access denied !”;
return RLM_MODULE_REJECT;
}
}
#vi users
lameuser Auth-Type := Reject
Reply-Message = “Your account has been disabled.”
DEFAULT Auth-Type := perl
DB
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET NAMES utf8 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE=’NO_AUTO_VALUE_ON_ZERO’ */;
– Dumping database structure for OTP
CREATE DATABASE IF NOT EXISTS `OTP` /*!40100 DEFAULT CHARACTER SET utf8 */;
USE `OTP`;
– Dumping structure for table OTP.tbl_cache
CREATE TABLE IF NOT EXISTS `tbl_cache` (
`Username` varchar(50) DEFAULT NULL,
`Code` varchar(100) DEFAULT NULL,
`Dt` datetime DEFAULT NULL,
`LastUpdate` int(11) DEFAULT NULL,
`Server` varchar(50) DEFAULT NULL,
UNIQUE KEY `Index 1` (`Server`,`Username`),
KEY `Index 2` (`LastUpdate`,`Code`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
– Data exporting was unselected.
– Dumping structure for table OTP.tbl_users
CREATE TABLE IF NOT EXISTS `tbl_users` (
`id` int(10) NOT NULL AUTO_INCREMENT,
`Username` varchar(50) NOT NULL,
`Code` varchar(50) NOT NULL,
`Pin` varchar(50) NOT NULL,
`Phone` varchar(50) DEFAULT NULL,
PRIMARY KEY (`id`),
KEY `Index 2` (`Username`)
) ENGINE=InnoDB AUTO_INCREMENT=77 DEFAULT CHARSET=utf8;
– Data exporting was unselected.
/*!40101 SET SQL_MODE=IFNULL(@OLD_SQL_MODE, ”) */;
/*!40014 SET FOREIGN_KEY_CHECKS=IF(@OLD_FOREIGN_KEY_CHECKS IS NULL, 1, @OLD_FOREIGN_KEY_CHECKS) */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
=========CENTOS 7==============
cp default otp
remove eap lines, remove eap module
replace sessions authorize/authenticate in sites-enabled/otp with following lines
authorize {
preprocess
files
expiration
logintime
}
authenticate {
perl
}
#users
#
lameuser Auth-Type := Reject
Reply-Message = “Your account has been disabled.”
DEFAULT Auth-Type := perl
#
#vi example.pl above
===============
https://github.com/multiOTP/radius-class-php
http://wiki.freeradius.org/modules/Rlm_perl