Yubico Forum

Hello YubiRADIUS users,

As you may have already observed, as of last night YubiRADIUS has not been correctly authenticating YubiKeys. Our technical team has uncovered the root of the issue.

A security patch for FreeRADIUS released last night has impacted the YubiRADIUS authentication, preventing the validation of any YubiKey generated OTP combined with user credentials (Username / Password). We are urgently working on a YubiRADIUS Patch to resolve this issue.

When available, YubiRADIUS users will be contacted via email and the patch with installation instructions will be accessible below.


We will be posting updates to this thread as developments occur.


Update:

The Yubico Team has released a patch resolving the Authentication failures users may have been experiencing with YubiRADIUS always rejecting every authentication response, even with valid credentials. This issue affects YubiRADIUS 3.5, 3.5.1 and 3.5.3.

Apply patch
To apply the patch, please follow the link below for your version of YubiRADIUS and follow the steps within. This patch will need to be applied to every instance of YubiRADIUS in use.

YubiRADIUS v3.5
YubiRADIUS v3.5.1
YubiRADIUS v3.5.3

Repeat the above patch for any additional YubiRADIUS instances you may have for failover or live backup. No particular server order will need to be observed when applying the patch, just ensure all servers are updated.


Disable Security Updates for the YubiRADIUS Virtual Application
The underlying issue has been tracked back to a security update for FreeRADIUS automatically distributed by the Debian OS used in the YubiRADIUS Virtual Appliance. To prevent future updates from impacting the YubiRADIUS service, Yubico recommends YubiRADIUS users disable the automatic updates for Debian. Yubico will test future updates for compatibly and inform YubiRADIUS users though email which security updates can be installed without impacting YubiRADIUS functionality. Automatic updates can be disabled by following the steps below.

_________________
-David Maples
Yubico Senior Solutions Engineer
http://www.Yubico.com

Disabling Security Updates:

To Disable Security Updates for the YubiRADIUS Virtual Application:

1. Login to the system console of YubiRADIUS virtual appliance.

2. Go to Main Menu and Open System >> Administration >> Software Sources and a pop-up will be shown. You will need to provide the Root account Password to access this dialog.

3. On the Software Sources (as superuser) pop-up, Select "Updates" tab.

4. In the Updates tab, locate the "Automatic Updates" section. Uncheck "Check for updates" option, then click on the "Close" button to save the settings.

_________________
-David Maples
Yubico Senior Solutions Engineer
http://www.Yubico.com

Thanks for the prompt response in the way you've dealt with this.

A few comments:

1. Can you go into a bit more details about what the problem was? I notice the patch is to one library file which seems to be a radius library not specific to yubikey. I'm wondering if this is a problem for all (non-yubikey) radius servers. My quick checking seemed to suggest the library version number didn't increment which creates potential confusion as to which library is installed. So I'm wondering if this is a stop gap fix which a more measured update still to come.

2. It would be good to add to your notes the command line instructions for stopping automatic updates as well as GUI instructions.

3. A cosmetic observation. When bundling up the patch tarfile you've put the file in the toplevel directory rather than having all the files in a subdirectory as is usual convention/practice. I understand your focus was to get the patch out and such niceties may have been overlooked. Just commenting by way of improving the process for the future.

In the forum post you state : 'preventing the validation of any YubiKey generated OTP'
In our case the troubleshoot tab on the yubiradius server would succesfully authenticate a single OTP request.
But it would not authenticate a full request, including OTP and AD credentials as a result of this problem.

Our problem is solved by applying the patch, but I spend all day yesterday investigating the problem.
During my search I could not find a hint to what was going on in any log file

We were badly impacted by this as both our primary site and backup site were unavailable at the same time..........
(we use Yubiradius to authenticate users to two seperate Xenapp farms)

The issue stemmed from a security update FreeRADIUS made to a library we modified for YubiRADIUS. The updated library was distributed by Debian, overwriting the YubiRADIUS modified library, and causing the issues with YubiRADIUS. You are correct in that this is a stop-gap fix; we were already working on a packetized solution for the next release of YubiRADIUS when this issue occurred, which should prevent issues such as this from occurring in the future.


I will be adding these as soon as I have a definite set of instructions. Thank you for the suggestion!


We apologize for the inelegant fix, but as you stated, we desired to get this fix out as soon as possible. However, your point is well made, and we are continually working to improve our processes.


That is correct - I reported the issue with incorrect information. I have modified my original post, and beg your pardon for the confusion.


I wanted to thank the YubiRADIUS community for their patience during this issue. We understand that your authentication service is the gateway to most everything your users can do, and downtime on it represents a major impact on your work. YubiRADIUS continues to work towards our goal of becoming the most secure, most stable two-factor authentication solution for our price, and we thank all of our users in helping us do so.

_________________
-David Maples
Yubico Senior Solutions Engineer
http://www.Yubico.com