From 824878cfa8f72101cd8b00bdd561926758bedd97 Mon Sep 17 00:00:00 2001 From: Jan Rude Date: Fri, 23 Sep 2016 14:03:02 +0200 Subject: [PATCH 1/6] Update freeradius.inc --- .../files/usr/local/pkg/freeradius.inc | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.inc b/net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.inc index 09365328646c..de57e3b0d234 100644 --- a/net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.inc +++ b/net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.inc @@ -95,7 +95,14 @@ function freeradius_install_command() { log_error("FreeRADIUS: Creating backup of the original file to " . FREERADIUS_ETC . "/raddb/files.backup"); copy(FREERADIUS_ETC . "/raddb/modules/files", FREERADIUS_ETC . "/raddb/files.backup"); } - + + // Install Google Authenticator scripts + if (!file_exists(FREERADIUS_ETC . "/raddb/scripts/googleauth.py")) { + copy(FREERADIUS_BASE . "/pkg/googleauth.py", FREERADIUS_ETC . "/raddb/scripts/"); + exec("chmod +x " . FREERADIUS_ETC . "/raddb/scripts/googleauth.py"); + } + if (!file_exists(FREERADIUS_ETC . "/raddb/modules/googleauth")) { copy(FREERADIUS_BASE . "/pkg/googleauth", FREERADIUS_ETC . "/raddb/modules/");} + // Disable virtual-server we do not need by default if (file_exists(FREERADIUS_ETC . "/raddb/sites-enabled/control-socket")) { unlink(FREERADIUS_ETC . "/raddb/sites-enabled/control-socket"); } if (file_exists(FREERADIUS_ETC . "/raddb/sites-enabled/inner-tunnel")) { unlink(FREERADIUS_ETC . "/raddb/sites-enabled/inner-tunnel"); } @@ -439,7 +446,8 @@ if (is_array($arrusers) && !empty($arrusers)) { $varuserspassword = $users['varuserspassword']; } - + + $varusersauthmethod = $users['varusersauthmethod']; $varusersmotpinitsecret = $users['varusersmotpinitsecret']; $varusersmotppin = $users['varusersmotppin']; $varusersmotpoffset = ($users['varusersmotpoffset']?$users['varusersmotpoffset']:'0'); @@ -1784,6 +1792,12 @@ authenticate { motp } + # + # Google-Authenticator authentication. + Auth-Type GOOGLEAUTH { + googleauth + } + # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' From 2d26649cf9497d8341f51494a5d29011afae6e16 Mon Sep 17 00:00:00 2001 From: Jan Rude Date: Fri, 23 Sep 2016 14:03:25 +0200 Subject: [PATCH 2/6] Add files via upload --- .../files/usr/local/pkg/googleauth | 4 ++ .../files/usr/local/pkg/googleauth.py | 57 +++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 net/pfSense-pkg-freeradius2/files/usr/local/pkg/googleauth create mode 100644 net/pfSense-pkg-freeradius2/files/usr/local/pkg/googleauth.py diff --git a/net/pfSense-pkg-freeradius2/files/usr/local/pkg/googleauth b/net/pfSense-pkg-freeradius2/files/usr/local/pkg/googleauth new file mode 100644 index 000000000000..cd39482686dd --- /dev/null +++ b/net/pfSense-pkg-freeradius2/files/usr/local/pkg/googleauth @@ -0,0 +1,4 @@ +exec googleauth { + wait = yes + program = " /usr/local/etc/raddb/scripts/googleauth.py %{request:User-Name} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{request:User-Password}" +} \ No newline at end of file diff --git a/net/pfSense-pkg-freeradius2/files/usr/local/pkg/googleauth.py b/net/pfSense-pkg-freeradius2/files/usr/local/pkg/googleauth.py new file mode 100644 index 000000000000..4a329487090d --- /dev/null +++ b/net/pfSense-pkg-freeradius2/files/usr/local/pkg/googleauth.py @@ -0,0 +1,57 @@ +#!/usr/local/bin/python2.7 +import sys +import time +import struct +import hmac +import hashlib +import base64 +import syslog + +def authenticate(username, secretkey, pin, code_attempt): + + if code_attempt.startswith(pin,0, len(pin)) == False: + syslog.syslog(syslog.LOG_ERR, "freeRADIUS: Google Authenticator - Authentication failed. User: " + username + ", Reason: wrong PIN") + return False + + code_attempt = code_attempt[len(pin):] + tm = int(time.time() / 30) + + secretkey = base64.b32decode(secretkey) + + # try 30 seconds behind and ahead as well + for ix in [-1, 0, 1]: + # convert timestamp to raw bytes + b = struct.pack(">q", tm + ix) + + # generate HMAC-SHA1 from timestamp based on secret key + hm = hmac.HMAC(secretkey, b, hashlib.sha1).digest() + + # extract 4 bytes from digest based on LSB + offset = ord(hm[-1]) & 0x0F + truncatedHash = hm[offset:offset+4] + + # get the code from it + code = struct.unpack(">L", truncatedHash)[0] + code &= 0x7FFFFFFF; + code %= 1000000; + + if ("%06d" % code) == str(code_attempt): + syslog.syslog(syslog.LOG_NOTICE, "freeRADIUS: Google Authenticator - Authentication successful for user: " + username) + return True + + syslog.syslog(syslog.LOG_ERR, "freeRADIUS: Google Authenticator - Authentication failed. User: " + username + ", Reason: wrong tokencode") + return False + + +# Check the length of the parameters +if len(sys.argv) != 5: + syslog.syslog(syslog.LOG_ERR, "freeRADIUS: Google Authenticator - wrong syntax - USAGE: googleauth.py Username, Secret-Key, PIN, Auth-Attempt") + exit(1) + + +auth = authenticate(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4]) + +if auth == True: + exit(0) + +exit(1) \ No newline at end of file From 9b0a050e253fca17f12b459e0d6ba320cf65d355 Mon Sep 17 00:00:00 2001 From: Jan Rude Date: Fri, 23 Sep 2016 14:05:02 +0200 Subject: [PATCH 3/6] Update freeradius.xml --- .../files/usr/local/pkg/freeradius.xml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.xml b/net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.xml index 7b12ab93cb15..df7af2bce384 100644 --- a/net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.xml +++ b/net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.xml @@ -197,6 +197,21 @@ checkbox varusersmotpinitsecret,varusersmotppin,varusersmotpoffset + + Authentication Method + varusersauthmethod + + + + select + motp + + + + + Init-Secret varusersmotpinitsecret From 4dbf2448e37147c5cc3331d84241707068af852d Mon Sep 17 00:00:00 2001 From: Jan Rude Date: Tue, 13 Dec 2016 12:06:50 +0100 Subject: [PATCH 4/6] Update freeradius.inc Use PHP chmod() function --- net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.inc b/net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.inc index de57e3b0d234..29eef5c39880 100644 --- a/net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.inc +++ b/net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.inc @@ -99,7 +99,7 @@ function freeradius_install_command() { // Install Google Authenticator scripts if (!file_exists(FREERADIUS_ETC . "/raddb/scripts/googleauth.py")) { copy(FREERADIUS_BASE . "/pkg/googleauth.py", FREERADIUS_ETC . "/raddb/scripts/"); - exec("chmod +x " . FREERADIUS_ETC . "/raddb/scripts/googleauth.py"); + chmod(REERADIUS_ETC . "/raddb/scripts/googleauth.py",0755); } if (!file_exists(FREERADIUS_ETC . "/raddb/modules/googleauth")) { copy(FREERADIUS_BASE . "/pkg/googleauth", FREERADIUS_ETC . "/raddb/modules/");} From 64651d111a6cae4389faca3fc45e977cafd330c2 Mon Sep 17 00:00:00 2001 From: Jan Rude Date: Tue, 13 Dec 2016 12:10:40 +0100 Subject: [PATCH 5/6] Update googleauth.py Added Copyright and License --- .../files/usr/local/pkg/googleauth.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/pfSense-pkg-freeradius2/files/usr/local/pkg/googleauth.py b/net/pfSense-pkg-freeradius2/files/usr/local/pkg/googleauth.py index 4a329487090d..495cfc2b0a25 100644 --- a/net/pfSense-pkg-freeradius2/files/usr/local/pkg/googleauth.py +++ b/net/pfSense-pkg-freeradius2/files/usr/local/pkg/googleauth.py @@ -1,4 +1,7 @@ #!/usr/local/bin/python2.7 +# Copyright: www.brool.com (http://www.brool.com/post/using-google-authenticator-for-your-website/) +# License: CC0 1.0 Universal License + import sys import time import struct @@ -54,4 +57,4 @@ def authenticate(username, secretkey, pin, code_attempt): if auth == True: exit(0) -exit(1) \ No newline at end of file +exit(1) From 45ed5f701f641b55bde66845b48e76b6d7b7c6f2 Mon Sep 17 00:00:00 2001 From: Jan Rude Date: Fri, 13 Jan 2017 14:13:24 +0100 Subject: [PATCH 6/6] Update freeradius.inc --- .../files/usr/local/pkg/freeradius.inc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.inc b/net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.inc index 29eef5c39880..c99be724d7b4 100644 --- a/net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.inc +++ b/net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.inc @@ -101,7 +101,9 @@ function freeradius_install_command() { copy(FREERADIUS_BASE . "/pkg/googleauth.py", FREERADIUS_ETC . "/raddb/scripts/"); chmod(REERADIUS_ETC . "/raddb/scripts/googleauth.py",0755); } - if (!file_exists(FREERADIUS_ETC . "/raddb/modules/googleauth")) { copy(FREERADIUS_BASE . "/pkg/googleauth", FREERADIUS_ETC . "/raddb/modules/");} + if (!file_exists(FREERADIUS_ETC . "/raddb/modules/googleauth")) { + copy(FREERADIUS_BASE . "/pkg/googleauth", FREERADIUS_ETC . "/raddb/modules/"); + } // Disable virtual-server we do not need by default if (file_exists(FREERADIUS_ETC . "/raddb/sites-enabled/control-socket")) { unlink(FREERADIUS_ETC . "/raddb/sites-enabled/control-socket"); }