Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EAP-GTC does not include User-Password in any of the VP lists, hence python modules can't do anything with it #2268

alejandro-perez opened this Issue Jul 31, 2018 · 2 comments


None yet
2 participants
Copy link

alejandro-perez commented Jul 31, 2018

Issue type

  • Defect - Non compliance with a standards document, or incorrect API usage.


Documentation in mods-enabled/eap say that

                #  The plain-text response which comes back
                #  is put into a User-Password attribute,
                #  and passed to another module for
                #  authentication.  This allows the EAP-GTC
                #  response to be checked against plain-text,
                #  or crypt'd passwords.

However, User-Password attribute is not put in any of the VPS lists (request, reply, config, proxy...). Hence, modules written in languages such as Python or Perl cannot access to it.

How to reproduce the issue

  1. Configure EAP-TTLS with GTC as the inner method.
  2. Use the example Python (with the pass_all_vps argument) or Perl modules to check the VP lists.
  3. User-Password is not there.

What happens is that rlm_eap_gtc.c is setting the VP in request->password, but is not adding it to request->packet or request->config. This is not an issue if you want to implement your own C module, as you have access to the whole request structure. However, if you want to perform authentication using Python/Perl/... then you cannot get the value.

I guess it could be added also to request->config or request->packet. What do you think? If you agree I can easily create a PR with the functionality.


This comment has been minimized.

Copy link

alandekok commented Jul 31, 2018

Just add it to the config list. That's probably the best thing for 3.0.


This comment has been minimized.

Copy link
Contributor Author

alejandro-perez commented Jul 31, 2018

Yes, right. Although I still could not modify it. What I want to achieve is to implement a 2-factor authentication using TOTP. I want to do something similar to what rlm_yubikey does (using the password to transport PWD+OTP_CODE, validating the code, and rewriting the PWD to restore it to the original value, so the authentication process works as it should). But maybe I MUST write a C module rather than a python one if for making it work I need to patch FR and that patch is not going to be useful to anyone but me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.