Yubico Forum

I have installed the YubiX 0.6 Appliance, I have followed the guides to setup my own KSM, I generated a KSM key, generated keys. I then used the personalisation tool to write the key to slot 2 on one of my Yubikeys. I had created a user and set a password and assigned the Yubikey to the user.

When I test this from the command line it is working:

$ curl http://localhost/wsapi/decrypt?otp=cccccccccccb<removed>
OK counter=0002 low=14a7 high=d7 use=01

However when I test RADIUS it fails:

$ radtest test1 test1cccccccccccb<removed> localhost 0 testing123
Sending Access-Request of id 106 to 127.0.0.1 port 1812
User-Name = "test1"
User-Password = "test1cccccccccccb<removed>"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=106, length=275
Reply-Message = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>500 Internal Server Error</title>\n</head><body>\n<h1>Internal Server Error</h1>\n<p>The server encountered an internal error or\nmisconfiguration and was unable to complete\nyour request"

FreeRADIUS is using perl, which sends a HTTP POST to the localserver, which is using WSGI to call a Python script. In one of the imports it is decoding a base64 string, but the padding is incorrect and it is throwing an exception which is not caught, causing the mod_wsgi to report it could not load /usr/share/pyshared/yubiauth/client/rest.py as a Python module.

$ tail -n 20 /var/log/apache2/error.log
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] mod_wsgi (pid=12000): Target WSGI script '/usr/share/pyshared/yubiauth/client/rest.py' cannot be loaded as Python module.
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] mod_wsgi (pid=12000): Exception occurred processing WSGI script '/usr/share/pyshared/yubiauth/client/rest.py'.
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] Traceback (most recent call last):
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] File "/usr/share/pyshared/yubiauth/client/rest.py", line 41, in <module>
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] from yubiauth.client import Client
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] File "/usr/lib/python2.7/dist-packages/yubiauth/__init__.py", line 37, in <module>
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] from yubiauth.core.controller import YubiAuth
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] File "/usr/lib/python2.7/dist-packages/yubiauth/core/__init__.py", line 37, in <module>
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] from controller import YubiAuth
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] File "/usr/lib/python2.7/dist-packages/yubiauth/core/controller.py", line 30, in <module>
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] from yubiauth.util.controller import Controller
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] File "/usr/lib/python2.7/dist-packages/yubiauth/util/__init__.py", line 38, in <module>
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] from yubiauth.util.utils import MODHEX, validate_otp
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] File "/usr/lib/python2.7/dist-packages/yubiauth/util/utils.py", line 46, in <module>
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] use_https=use_https)
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] File "/usr/lib/python2.7/dist-packages/yubico_client/yubico.py", line 81, in __init__
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] translate_otp=True):
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] File "/usr/lib/python2.7/base64.py", line 76, in b64decode
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] raise TypeError(msg)
[Sat Jan 11 15:03:30 2014] [error] [client 127.0.0.1] TypeError: Incorrect padding

I modified the Python script to print out the key before it tries to base64 decode it, it is W6n5xCoajhXcKI38FLXgAhgd1TE. Trying to decode this on the command line also gives an error.

$ echo -n W6n5xCoajhXcKI38FLXgAhgd1TE | base64 -d
[???*??(?????1base64: invalid input

However if I add some padding it works fine.
$ echo -n W6n5xCoajhXcKI38FLXgAhgd1TE= | base64 -d
[???*??(?????1

It seems to me that the padding should exist, and/or the code should be more defensive with a try/except block or similar and more helpful error messages.

I am reading through more of the code to try to work out how to fix this. Any help on resolving this issue would be appreciated.

EDIT: I found that the parameter W6n5xCoajhXcKI38FLXgAhgd1TE is coming from YKVAL_CLIENT_SECRET defined in /etc/yubico/auth/yubiauth.conf. I added an "=" to the end to correct the padding. This has resolved the Internal Server Error, due to the WSGI error, due to the unhandled TypeError. I am now able to get Access-Accept responses from RADIUS! w00t. I think somewhere in the installation / firstboot scripts it is setting the password to an automatically randomly generated password and is not saving the padding at the end.

Thanks,
air

Hi,

When following the Getting Started guide, there's a section describing how you switch from using the YubiCloud to using the local validation server, where you copy a client ID and client API key via the YubiAdmin web interface, and paste them into the Validate OTP section of the YubiAuth section. The API key here corresponds to the YKVAL_CLIENT_SECRET parameter. Can you check the "API Clients" tab of the "YubiKey Validation Server" section in the web interface, and check to make sure there is indeed a "=" at the end? You can also check the "OTP Validation" tab of the "YubiAuth" section and make sure that the "API Key" field has the "=" as well. My guess is that it fell of when you copied it from one tab to the other, as double-clicking on a string to select it usually doesn't select "="-characters. We could probably change the interface so that it selects the full API Key when you click on it, to prevent this from happening.

Regards,
Dain
Yubico

Hi Dain, I just checked, and you were right, the "=" is there at the end. I must have double-clicked and didn't realise the whole string was not selected. Sorry for the junk bug report. When I checked the YubiAuth > OTP Validation page the API Key field has the "=" but this might be because I already manually fixed the backing file and have since reloaded everything multiple times.

If the Web GUI can be easily modified to have the whole field selected by a double-click, or by having a button/icon that when clicked automatically copies the key to the clipboard that would be a nice improvement. Also catching the error and reporting back something more meaningful rather than having it result in a HTTP 500 error might be good too.

Thanks,
air