Re: xradius and otp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Neil, hi Paul,

strange strange.
Finally I gave myself a kick in the a... and compiled the
libapr_memcache and the mod_auth_xradius with memcache support.
uah. It was not realy straightforward.

I am not really a developer, so some things might look very dirty:

Here some quick notes:

1. download apr_memcache-0.7.0
2. ./configure prefix=/usr
3. edit Makefile and memcache/Makefile this way:
     LIBTOOL = /usr/share/apr-1.0/build/libtool --tag=gcc
4. make && make install
5. configure mod_auth_xradius
  ./configure --with-apxs=/usr/bin/apxs2  --with-apr-memcache=/usr/lib
6. Make will not find the header file of apr_memcache, so I just copied
it to  mod_auth_xradius-0.4.6/include/apr_memcache.h
 (yeah, ugly)
7. edit Makefile of mod_auth_xradius:
  LIBTOOL = /usr/share/apr-1.0/build/libtool --tag=gcc
8. make && make install

9. reconfigure the apache (memcached runs on 11211 on (k)ubuntu by
default.)
    and now it works fine with my OTP-Token.

Thanks for all your work and help.

Kind regards
Corenlius

Cornelius Kölbel schrieb:
> Hello Neil,
>
> --snip--
> [Thu Sep 20 13:54:55 2007] [debug] worker.c(1740): AcceptMutex: sysvsem
> (default: sysvsem)
> [Thu Sep 20 13:55:19 2007] [notice] xradius: val size: '0'
> [Thu Sep 20 13:55:33 2007] [error] [client 172.16.200.31] xradius:
> RADIUS Request for user 'tester' failed: (-1) No valid RADIUS responses
> received
> [Thu Sep 20 13:55:33 2007] [error] [client 172.16.200.31] user tester:
> authentication failure for "/": Password Mismatch
> [Thu Sep 20 13:56:10 2007] [notice] xradius: val size: '0'
> [Thu Sep 20 13:56:14 2007] [notice] xradius: fetched
> 'IjKmbC+8toO7NKNuErcRLA==':'IjKmbC+8toO7NKNuErcRLA=H\x04'
> [Thu Sep 20 13:56:28 2007] [error] [client 172.16.200.31] xradius:
> RADIUS Request for user 'tester' failed: (-1) No valid RADIUS responses
> received, referer: http://secret-site3/
> [Thu Sep 20 13:56:28 2007] [error] [client 172.16.200.31] user tester:
> authentication failure for "/test.html": Password Mismatch, referer:
> http://secret-site3/
> [Thu Sep 20 13:57:12 2007] [notice] xradius: fetched
> 'aTxP/tosCqyPguRBSKnLsQ==':'IjKmbC+8toO7NKNuErcRLA=H\x04'
> [Thu Sep 20 13:57:16 2007] [notice] xradius: fetched
> 'aTxP/tosCqyPguRBSKnLsQ==':'aTxP/tosCqyPguRBSKnLsQ=H\x04'
> [Thu Sep 20 13:57:30 2007] [error] [client 172.16.200.31] xradius:
> RADIUS Request for user 'tester' failed: (-1) No valid RADIUS responses
> received
> [Thu Sep 20 13:57:30 2007] [error] [client 172.16.200.31] user tester:
> authentication failure for "/": Password Mismatch
> [Thu Sep 20 13:57:44 2007] [notice] xradius: fetched
> 'aq2e1WySSutGTSFhgU2uew==':'aTxP/tosCqyPguRBSKnLsQ=H\x04'
> [Thu Sep 20 13:57:48 2007] [notice] xradius: fetched
> 'aq2e1WySSutGTSFhgU2uew==':'aq2e1WySSutGTSFhgU2uew=H\x04'
> --snip--
>
> The access right for the dbm file is ok. At the moment I get these logs.
> I compiled the xradius auth without memcache support. 
>     ./configure --with-apxs=/usr/bin/apxs2 --without-apr-memcache
>
> Actually I do not know the memcached and I am not sure what to pass to
> --with-apr-memcache.
> There is indeed a memcached package and a libmemcache0 but no
> libapr_memcache.
> As it is not real big installation with need for ultimate performance,
> I'd like to choose the easiest and not necessarily the most performant
> way. ;)
>
> Confused and kind regards
> Cornelius
>
>
> Neil A. Hillard schrieb:
>   
>> Cornelius,
>>
>> Cornelius Kölbel wrote:
>>   
>>     
>>> I am trying to use mod_auth_xradius with ubuntu 7.04, apache 2.2
>>> I compiled and installed/configured it successfully. Thanks to an earlier questions.
>>>
>>> But I'd like to use one time passwords.
>>>
>>> The first time I access my website http://secret-site3 the authentication works fine.
>>>
>>> But when i click on another link on this page, i time out and some times I get a second auth request.
>>>
>>> My vhost config looks like this:
>>>
>>> --snip--
>>> LoadModule auth_xradius_module /usr/lib/apache2/modules/mod_auth_xradius.so
>>> ## If you do not want Authentication Caching, set:
>>> #AuthXRadiusCache none -
>>> AuthXRadiusCache dbm "/usr/lib/apache2/auth_xradius_cache"
>>> # 1h Timeout.
>>> AuthXRadiusCacheTimeout 3600
>>>     
>>>       
>> <snip>
>>
>>   
>>     
>>> Is it right that the basic authentication sends the credentials again, when going to another link?
>>> Then of course the OTP would not be valid anymore.
>>>
>>> I think the module needs to remember, that the user was authenticated. I think mod_auth_radius of freeradius used to use session cookies, but this module won't run with apache 2.2.
>>> How could it be done using mod_auth_xradius?
>>>     
>>>       
>> The purpose of the cache is to store the username / password pairs so
>> they can be validated without hitting the RADIUS server (which would
>> fail).  You appear to have configured the cache but it doesn't appear to
>> be working.
>>
>> I can confirm that we are using it in this exact situation (in fact Paul
>> wrote it for us!) and we don't have any problems.
>>
>> We actually use memcache:
>>
>> AuthXRadiusCache memcache "127.0.0.1:11211"
>>
>> but it may be something to do with your permissions on:
>>
>> /usr/lib/apache2/auth_xradius_cache
>>
>> Does the user Apache is running as have permission to access/create the
>> file?
>>
>> HTH,
>>
>>
>> 				Neil.
>>
>>   
>>     
>
>
> --
> Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht
> und ist - aktuelle Virenscanner vorausgesetzt - sauber.
> For all your IT requirements visit: http://www.transtec.co.uk
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
> --
> Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht
> und ist - aktuelle Virenscanner vorausgesetzt - sauber.
> For all your IT requirements visit: http://www.transtec.co.uk
>
>
>   


--
Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht
und ist - aktuelle Virenscanner vorausgesetzt - sauber.
For all your IT requirements visit: http://www.transtec.co.uk


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux