18
Sep

freeradius - OTP

   Posted by: admin   in Mẹo vặt của hiếu râu

# vi /var/www/html/OTP/pam.php

<?php

echo “:-(”;    // :-)

file_put_contents(’/tmp/pam.txt’,date(’Y-m-d D H:i:s ‘).json_encode($_GET).”\n”,FILE_APPEND);

?>

#yum install freeradius freeradius-utils freeradius-perl perl-libwww-perl
#perl -MCPAN -e shell
>install LWP
#radius -X
#radtest  hieu 2234 127.0.0.1 123 testing123
    Create a new file ‘/etc/freeradius/sites-available/linotp’ with the following content:

    authorize {
    
    #normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
            preprocess
    
            #  If you are using multiple kinds of realms, you probably
            #  want to set "ignore_null = yes" for all of them.
            #  Otherwise, when the first style of realm doesn't match,
            #  the other styles won't be checked.
    
    #allows a list of realm (see '/etc/freeradius/modules/realm')
            IPASS
    
    #understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
            suffix
    
    #understands USER\REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
            ntdomain
    
            #  Read the 'users' file to learn about special configuration which should be applied for
            # certain users (see '/etc/freeradius/modules/files')
            files
    
            # allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
            expiration
    
            # allows to define valid service-times (see '/etc/freeradius/modules/logintime')
            logintime
    
            # We got no radius_shortname_map!
            pap
    }
    
    #here the linotp perl module is called for further processing
    authenticate {
            perl
    }
  • and activate the configuration by softlinking it in to ‘/etc/freeradius/sites-enabled’
  • ln -s ../sites-available/linotp /etc/freeradius/sites-enabled'
#less example.pl
#
# If you are using DBI and do some queries to DB, please be sure to
# use the CLONE function to initialize the DBI connection to DB.
#
use strict;
use LWP;
# use …
# This is very important ! Without this script will not get the filled hashesh from main.
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use Data::Dumper;
# This is hash wich hold original request from radius
#my %RAD_REQUEST;
# In this hash you add values that will be returned to NAS.
#my %RAD_REPLY;
#This is for check items
#my %RAD_CHECK;
sub authenticate {
# For debugging purposes only
#       &log_request_attributes;
my $ua = LWP::UserAgent->new();
my $req = HTTP::Request->new( GET =>  “http://localhost/OTP/pam.php?user=” .
$RAD_REQUEST{’User-Name’} . “&pass=” . $RAD_REQUEST{’User-Password’} . “&client=” . $RAD_REQUEST{’NAS-IP-Address’} .
“&clientId=” . $RAD_REQUEST{’NAS-Identifier’} .
“&realm=” . $RAD_REQUEST{’Calling-Station-Id’} );
my $response = $ua->request( $req );
die “Error at OTP/pam.php\n “, $response->status_line, “\n Aborting”
unless $response->is_success;
if($response->content =~ m/:\-\)/i) {
return RLM_MODULE_OK;
} else {
$RAD_REPLY{’Reply-Message’} = “Wrong OTP - access denied !”;
return RLM_MODULE_REJECT;
}
}
#vi users
lameuser        Auth-Type := Reject
Reply-Message = “Your account has been disabled.”
DEFAULT         Auth-Type := perl
DB
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET NAMES utf8 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE=’NO_AUTO_VALUE_ON_ZERO’ */;
– Dumping database structure for OTP
CREATE DATABASE IF NOT EXISTS `OTP` /*!40100 DEFAULT CHARACTER SET utf8 */;
USE `OTP`;
– Dumping structure for table OTP.tbl_cache
CREATE TABLE IF NOT EXISTS `tbl_cache` (
`Username` varchar(50) DEFAULT NULL,
`Code` varchar(100) DEFAULT NULL,
`Dt` datetime DEFAULT NULL,
`LastUpdate` int(11) DEFAULT NULL,
`Server` varchar(50) DEFAULT NULL,
UNIQUE KEY `Index 1` (`Server`,`Username`),
KEY `Index 2` (`LastUpdate`,`Code`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
– Data exporting was unselected.
– Dumping structure for table OTP.tbl_users
CREATE TABLE IF NOT EXISTS `tbl_users` (
`id` int(10) NOT NULL AUTO_INCREMENT,
`Username` varchar(50) NOT NULL,
`Code` varchar(50) NOT NULL,
`Pin` varchar(50) NOT NULL,
`Phone` varchar(50) DEFAULT NULL,
PRIMARY KEY (`id`),
KEY `Index 2` (`Username`)
) ENGINE=InnoDB AUTO_INCREMENT=77 DEFAULT CHARSET=utf8;
– Data exporting was unselected.
/*!40101 SET SQL_MODE=IFNULL(@OLD_SQL_MODE, ”) */;
/*!40014 SET FOREIGN_KEY_CHECKS=IF(@OLD_FOREIGN_KEY_CHECKS IS NULL, 1, @OLD_FOREIGN_KEY_CHECKS) */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
=========CENTOS 7==============
cp default otp
remove eap lines, remove eap module
replace sessions authorize/authenticate in sites-enabled/otp with following lines
authorize {
preprocess
files
expiration
logintime
}
authenticate {
perl
}
#users
#
lameuser        Auth-Type := Reject
Reply-Message = “Your account has been disabled.”
DEFAULT         Auth-Type := perl
#
#vi example.pl above
===============
https://github.com/multiOTP/radius-class-php
http://wiki.freeradius.org/modules/Rlm_perl
This entry was posted on Sunday, September 18th, 2016 at 5:29 pm and is filed under Mẹo vặt của hiếu râu. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed at this time.