RE: [Bug-gnu-radius] gnuradius 0.96.2 SecurID and Sybase

[Steve . Bleazard]

Sergey

I have now almost completed the SecurID and Sybase patches.  However, in the 
process I have come across a couple of issues, one minor the other more serious:

It appears that not all devices are intelligent enough to include a 
NAS-IP-Address, which makes client based authorisation impossible.  I have 
therefore added optional code to add this field if it's missing.

The second issue is more serious as it interacts very badly with SecurID: When 
a request is received the queue is checked to determine if this is a duplicate 
request.  The checks include the authenticator field of each request.  Now, it 
appears that some devices (the Netscreen firewall appliance for example) resend 
the request with a different authenticator (but the same ID).

The problem is that SecurID, by design, inserts a 1 second delay before 
replying to a request.  Unfortunately, the standard RADIUS timeout used by a 
lot of devices (including the Netscreen) is also 1sec.  The upshot is that most 
authentication requests will retry at least once.

Now, because of the authenticator difference, the second request is not 
detected as a duplicate and passed to the securid backend.

Unfortunately, because this is a duplicate request and the password (actually 
passcode) is the same, the SecurID server detects a duplicate login attempt / 
replay attack.  A couple of retries later (depeding on the SecurID setup) and 
the users account is toast!

To resolve this issue I have included (optional) code to track SecurID 
authentications in a ndbm datavase and handle any duplicates by replying with 
the previous answer. I have used the request-cleanup-delay value to determine 
how long to allow.  

While the solution is not pretty and introduces some replay attack 
possibilities it does make SecurID usage possible!

Steve

-----Original Message-----
From: Sergey Poznyakoff [mailto:address@hidden
Sent: 24 May 2002 09:49
To: Bleazard, Steve
Cc: address@hidden
Subject: Re: [Bug-gnu-radius] gnuradius 0.96.2 SecurID and Sybase 


Hello, Steve

Thanks a lot for your efforts on adding new functionality to GNU
radius.

> Unfortunately, I have not been able to find a combination of
> automake and autoconf that work together: Older automake's complain
> that the AM_PROG_LIBTOOL is not defined and changing it to
> AC_PROG_LIBTOOL causes autoconf to complain.

Versions prior to and including 0.96.2 were built using following
versions of auto- tools:

autoconf -- 2.13
automake -- 1.4
libtool  -- 1.3 or 1.3.5

The AM_PROG_LIBTOOL complaint is probably due to the wrong order of
their invocation. The proper order is:

aclocal -I m4 &&
 libtoolize --automake -c &&
 autoheader &&
 automake -a -c &&
 autoconf

The current development version (1.0) of radius has switched to latest
auto- tools. It differs very considerably from the 0.96 series
and it is currently on alpha stage, so it is preferable to incorporate
your changes to 0.96.2 branch.

> Is this the correct address to send the SecurID and Sybase code to?

Yes, it is the correct address. Should you need any more detailed
information, feel free to ask.

Regards,
Sergey

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only
for the individual named.  If you are not the named addressee you
should not disseminate, distribute or copy this e-mail.  Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses.  The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission.  If
verification is required please request a hard-copy version.  This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.