我刚刚设置了一个 freeradius 服务器,希望能够使用 ldap 用户的密码和从他们的 yubikey 生成的 yubico otp 进行身份验证。
它可以使用 ldap 密码直接工作而无需任何配置,但我无法弄清楚添加 Yubico OTP 验证所需的配置......
我已经安装了模块 freeradius-yubikey 并按如下方式配置该模块:
yubikey {
id_lenght = 12
split = yes
decrypt = no
validate = yes
validation {
servers {
uri = 'http://IP_of_validation_server/wsapi/2.0/verify?id=%d&otp=%s'
}
client_id = 1
api_key = 'my_api_key'
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
spread = yes
}
}
}
我在 ldap 服务器中为每个用户添加了一个属性 yubiKeyId,其中包含他们的 yubikey ID。最后,我希望有以下身份验证过程:
1) Request from a client specifying the user and the ldappassword concatenated with the Yubico OTP
2) The radius server looks up for the user willing to authenticate
3) The server splits the password received into ldappassword and the yubico OTP
4) The server validates:
- The ldappassword receives with the userPassword from the LDAP server
- The yubico OTP, only if the user possesses the YubiKey
- A user possesses the Yubikey associated with the Yubico OTP if The first part of the yubico OTP and the yubiKeyId attribute from the LDAP server are equal
5) Server sends response
但是,要做到这一点,我不知道如何拆分发送的密码,用 ldap 验证第一部分,用 yubikey 验证第二部分,并从 LDAP 服务器查询属性以进行进一步检查。