Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EAP-GTC does not include User-Password in any of the VP lists, hence python modules can't do anything with it #2268

alejandro-perez opened this issue Jul 31, 2018 · 4 comments


Copy link

@alejandro-perez alejandro-perez commented Jul 31, 2018

Issue type

  • Defect - Non compliance with a standards document, or incorrect API usage.


Documentation in mods-enabled/eap say that

                #  The plain-text response which comes back
                #  is put into a User-Password attribute,
                #  and passed to another module for
                #  authentication.  This allows the EAP-GTC
                #  response to be checked against plain-text,
                #  or crypt'd passwords.

However, User-Password attribute is not put in any of the VPS lists (request, reply, config, proxy...). Hence, modules written in languages such as Python or Perl cannot access to it.

How to reproduce the issue

  1. Configure EAP-TTLS with GTC as the inner method.
  2. Use the example Python (with the pass_all_vps argument) or Perl modules to check the VP lists.
  3. User-Password is not there.

What happens is that rlm_eap_gtc.c is setting the VP in request->password, but is not adding it to request->packet or request->config. This is not an issue if you want to implement your own C module, as you have access to the whole request structure. However, if you want to perform authentication using Python/Perl/... then you cannot get the value.

I guess it could be added also to request->config or request->packet. What do you think? If you agree I can easily create a PR with the functionality.

Copy link

@alandekok alandekok commented Jul 31, 2018

Just add it to the config list. That's probably the best thing for 3.0.

Copy link
Contributor Author

@alejandro-perez alejandro-perez commented Jul 31, 2018

Yes, right. Although I still could not modify it. What I want to achieve is to implement a 2-factor authentication using TOTP. I want to do something similar to what rlm_yubikey does (using the password to transport PWD+OTP_CODE, validating the code, and rewriting the PWD to restore it to the original value, so the authentication process works as it should). But maybe I MUST write a C module rather than a python one if for making it work I need to patch FR and that patch is not going to be useful to anyone but me.

Copy link

@gm3197 gm3197 commented Jul 4, 2021

@alejandro-perez I am trying to implement something similar, using python to authenticate. How were you able to access the User-Password? alandekok suggested adding it to the config list, how is this done? Thanks.

Copy link
Contributor Author

@alejandro-perez alejandro-perez commented Jul 17, 2021

@gm3197 sorry I was on leave and I couldn't answer.

Just make sure you enable the pass_all_vps_dict option, so you get all the VPs lists. I recommend you to enable the example python module that will dump all the VPs in the log output so you can check in what stage (e.g. authorize or post-auth) and list (e.g. request, config, etc.) is the information you are looking for.

IIRC you get the User-Password attribute in the request list during the authenticate stage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants