apache and radius OTP authentification
531 views
Skip to first unread message
gg9...@gmail.com
May 17, 2017, 5:04:50 AM5/17/17
to RCDevs Security Solutions - Technical
hi,
I'm working on a reserve proxy on apache for guacamole project.
This is my /etc/httpd/conf.d/guacamole.conf
<VirtualHost server:80>
ServerName server
# /guacamole settings
ProxyPass /guacamole http://server:8080/guacamole
ProxyPassReverse /guacamole http://server:8080/guacamole
<IfModule radius_auth_module>
AddRadiusAuth server:1812 testing123 5:1
AddRadiusCookieValid 60
</IfModule>
<Location /guacamole>
AuthType Basic
AuthName "OTP two-factor authentication"
AuthBasicProvider radius
AuthRadiusCookieValid 1
AuthRadiusAuthoritative on
AuthRadiusActive On
require valid-user
RewriteEngine on
RewriteCond %{REMOTE_USER} (.*)
RewriteRule .* - [E=X_REMOTE_USER:%1]
RequestHeader set REMOTE_USER %{X_REMOTE_USER}e
</Location>
</VirtualHost>
When I test to the url http://server/guacamole, openotp radiusd allows access the first time but the second time, there are some failures :
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Found 1 user emails: to...@gmail.com
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Found 1 user certificates
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Found 37 user settings: LoginMode=OTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,EnableLogin=Yes,OTPPrefix=No,AppKeyLength=20,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,MOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=30,ListChallengeMode=ShowID
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Found 7 user data: LoginCount,RejectCount,LastOTP,TokenType,TokenKey,TokenState,TokenID
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Last OTP expired 2017-05-17 10:38:56
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Found 1 registered OTP token (YUBIKEY)
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Requested login factors: OTP
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] YUBIKEY password Ok (token #1)
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Updated user data
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Sent success response
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] New openotpNormalLogin SOAP request
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] > Username: toto
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] > Domain: DAG
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] > OTP Password: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] > Client ID: server
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] > Options: RADIUS,-U2F
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Registered openotpNormalLogin request
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Resolved LDAP user: CN=toto,OU=xx,OU=Utilisateurs,DC=xx,DC=xx,DC=fr (cached)
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Started transaction lock for user
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Found user language: FR
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Found 1 user emails: to...@gmail.com
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Found 1 user certificates
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Found 37 user settings: LoginMode=OTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,EnableLogin=Yes,OTPPrefix=No,AppKeyLength=20,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,MOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=30,ListChallengeMode=ShowID
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Found 7 user data: LoginCount,RejectCount,LastOTP,TokenType,TokenKey,TokenState,TokenID
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Last OTP present (valid until 2017-05-17 10:41:19)
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Found 1 registered OTP token (YUBIKEY)
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Requested login factors: OTP
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Wrong YUBIKEY password (OTP replay)
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Updated user data
[2017-05-17 10:40:50] [127.0.0.1] [OpenOTP:FGOJLHNP] Sent failure response
On the radius, password_mode is 2.
And LoginMode in webadm is OTP
What's wrong ? why the second time after a sucessfully first time ?
thanks
I'm working on a reserve proxy on apache for guacamole project.
This is my /etc/httpd/conf.d/guacamole.conf
<VirtualHost server:80>
ServerName server
# /guacamole settings
ProxyPass /guacamole http://server:8080/guacamole
ProxyPassReverse /guacamole http://server:8080/guacamole
<IfModule radius_auth_module>
AddRadiusAuth server:1812 testing123 5:1
AddRadiusCookieValid 60
</IfModule>
<Location /guacamole>
AuthType Basic
AuthName "OTP two-factor authentication"
AuthBasicProvider radius
AuthRadiusCookieValid 1
AuthRadiusAuthoritative on
AuthRadiusActive On
require valid-user
RewriteEngine on
RewriteCond %{REMOTE_USER} (.*)
RewriteRule .* - [E=X_REMOTE_USER:%1]
RequestHeader set REMOTE_USER %{X_REMOTE_USER}e
</Location>
</VirtualHost>
When I test to the url http://server/guacamole, openotp radiusd allows access the first time but the second time, there are some failures :
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Found 1 user emails: to...@gmail.com
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Found 1 user certificates
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Found 37 user settings: LoginMode=OTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,EnableLogin=Yes,OTPPrefix=No,AppKeyLength=20,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,MOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=30,ListChallengeMode=ShowID
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Found 7 user data: LoginCount,RejectCount,LastOTP,TokenType,TokenKey,TokenState,TokenID
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Last OTP expired 2017-05-17 10:38:56
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Found 1 registered OTP token (YUBIKEY)
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Requested login factors: OTP
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] YUBIKEY password Ok (token #1)
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Updated user data
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:7BX33S4N] Sent success response
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] New openotpNormalLogin SOAP request
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] > Username: toto
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] > Domain: DAG
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] > OTP Password: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] > Client ID: server
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] > Options: RADIUS,-U2F
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Registered openotpNormalLogin request
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Resolved LDAP user: CN=toto,OU=xx,OU=Utilisateurs,DC=xx,DC=xx,DC=fr (cached)
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Started transaction lock for user
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Found user language: FR
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Found 1 user emails: to...@gmail.com
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Found 1 user certificates
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Found 37 user settings: LoginMode=OTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,EnableLogin=Yes,OTPPrefix=No,AppKeyLength=20,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,MOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=30,ListChallengeMode=ShowID
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Found 7 user data: LoginCount,RejectCount,LastOTP,TokenType,TokenKey,TokenState,TokenID
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Last OTP present (valid until 2017-05-17 10:41:19)
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Found 1 registered OTP token (YUBIKEY)
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Requested login factors: OTP
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Wrong YUBIKEY password (OTP replay)
[2017-05-17 10:40:49] [127.0.0.1] [OpenOTP:FGOJLHNP] Updated user data
[2017-05-17 10:40:50] [127.0.0.1] [OpenOTP:FGOJLHNP] Sent failure response
On the radius, password_mode is 2.
And LoginMode in webadm is OTP
What's wrong ? why the second time after a sucessfully first time ?
thanks
francois...@rcdevs.com
May 17, 2017, 5:09:06 AM5/17/17
to RCDevs Security Solutions - Technical
Hi,
It means that you send the same OTP password in the second attempt. You need to generate a new OTP with your Yubikey.
gg9...@gmail.com
May 17, 2017, 5:41:52 AM5/17/17
to RCDevs Security Solutions - Technical
Ok, i understand but on url site, i've got only one time prompt for otp.
So i can't generate a new otp password for the second time ...
So i can't generate a new otp password for the second time ...
francois...@rcdevs.com
May 17, 2017, 9:12:18 AM5/17/17
to RCDevs Security Solutions - Technical
I suppose that guacamole tries to authenticate twice.
In the log, I see that a new authentication starts directly after the success authentication, without delay.
If you check radius communication with Wireshark, you should see two authentication requests from guacamole.
Unfortunately, I can not help you for guacamole configuration.
Reply all
Reply to author
Forward
0 new messages