EAP-GTC does not include User-Password in any of the VP lists, hence python modules can't do anything with it

[alejandro-perez]

Issue type

• Defect - Non compliance with a standards document, or incorrect API usage.

Defect

Documentation in mods-enabled/eap say that

                #  The plain-text response which comes back
                #  is put into a User-Password attribute,
                #  and passed to another module for
                #  authentication.  This allows the EAP-GTC
                #  response to be checked against plain-text,
                #  or crypt'd passwords.

However, User-Password attribute is not put in any of the VPS lists (request, reply, config, proxy...). Hence, modules written in languages such as Python or Perl cannot access to it.

How to reproduce the issue

1. Configure EAP-TTLS with GTC as the inner method.
2. Use the example Python (with the pass_all_vps argument) or Perl modules to check the VP lists.
3. User-Password is not there.

What happens is that rlm_eap_gtc.c is setting the VP in request->password, but is not adding it to request->packet or request->config. This is not an issue if you want to implement your own C module, as you have access to the whole request structure. However, if you want to perform authentication using Python/Perl/... then you cannot get the value.

I guess it could be added also to request->config or request->packet. What do you think? If you agree I can easily create a PR with the functionality.

[alandekok]

Just add it to the config list. That's probably the best thing for 3.0.

[alejandro-perez]

Yes, right. Although I still could not modify it. What I want to achieve is to implement a 2-factor authentication using TOTP. I want to do something similar to what rlm_yubikey does (using the password to transport PWD+OTP_CODE, validating the code, and rewriting the PWD to restore it to the original value, so the authentication process works as it should). But maybe I MUST write a C module rather than a python one if for making it work I need to patch FR and that patch is not going to be useful to anyone but me.

[gm3197]

@alejandro-perez I am trying to implement something similar, using python to authenticate. How were you able to access the User-Password? alandekok suggested adding it to the config list, how is this done? Thanks.

[alejandro-perez]

@gm3197 sorry I was on leave and I couldn't answer.

Just make sure you enable the pass_all_vps_dict option, so you get all the VPs lists. I recommend you to enable the example python module that will dump all the VPs in the log output so you can check in what stage (e.g. authorize or post-auth) and list (e.g. request, config, etc.) is the information you are looking for.

IIRC you get the User-Password attribute in the request list during the authenticate stage.