radius挑战认证

做基于radius的双因子认证，但未找到一个方便测试的radius服务器，网上找了freeradius，折腾了很久没有搞定，想了想是否可以自己写一个，只要有一个radius的雏形，发一个challenge应该是比较简单的。

pyrad

找到了pyrad，这个是提供一个radius的基本操作的库，提供了客户端和服务端的库，试了一下服务端，windows上起不来，于是只能从头写。
基本思路是自己创建一个udp socket，进行监听，收到报文后，使用pyrad进行解析，然后做身份验证的处理，再用pyrad创建回应消息。
代码如下：

from pyrad import * import socket import pyrad.host import random BUFSIZE = 1024 KEY = b"testing123" CHALLENGE = "test2" class RadiusServer(pyrad.host.Host): def __init__(self): dict = pyrad.dictionary.Dictionary("dictionary.rfc2865") #从freeradius中搞一个通用的字典使用 pyrad.host.Host.__init__(self, dict=dict) def get_challenge(self): #产生一个4字节的随机挑战码 challenge = "" challenge = challenge + str(chr(random.randint(65,90))) challenge = challenge + str(chr(random.randint(65,90))) challenge = challenge + str(chr(random.randint(65,90))) challenge = challenge + str(chr(random.randint(65,90))) return challenge def check_pass(self, radpkt): #检查用户名密码，这里简单处理一下，如果密码是test则发起挑战，如果输入正确的挑战码，回应正确，否则失败 global CHALLENGE print("check user") if radpkt.PwCrypt(CHALLENGE) == radpkt["User-Password"][0]: radpkt.code = packet.AccessAccept CHALLENGE = self.get_challenge() #挑战码使用过后就更换掉 print("AccessAccept") elif radpkt.PwCrypt("test") == radpkt["User-Password"][0]: radpkt.code = packet.AccessChallenge CHALLENGE = self.get_challenge() radpkt.AddAttribute("Reply-Message", CHALLENGE) #把挑战码发给客户端 print("AccessChallenge， please input", CHALLENGE) else: radpkt.code = packet.AccessReject print("AccessReject") def get_pkt(self, pkt): get_pw = None get_name = None radpkt = self.CreateAuthPacket(packet=pkt) #解析请求报文 print("code:", radpkt.code) print("authenticator:", radpkt.authenticator) print("id:", radpkt.id) #radpkt.code = packet.AccessChallenge radpkt.secret = KEY for key in radpkt.keys(): print(key, radpkt[key]) if key == "User-Password": get_pw = 1 if key == "User-Name": get_name = 1 if 1 == get_pw and 1 == get_name: self.check_pass(radpkt) return radpkt.ReplyPacket() ip_port = (\'\', 1812) server = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # udp协议 server.bind(ip_port) while True: data,client_addr = server.recvfrom(BUFSIZE) srv = RadiusServer() reply = srv.get_pkt(data) server.sendto(reply, client_addr)

测试，采用freeradius中自带的ratest进行测试。

使用第一次验证用的密码进行请求： C:\FreeRADIUS.net\bin>radclient.exe -d ..\etc\raddb -f radtest.txt -x -s 127.1 auth testing123 Sending Access-Request of id 172 to 127.0.0.1 port 1812 User-Name = "admin" User-Password = "test" NAS-IP-Address = 127.0.0.1 NAS-Port = 123 rad_recv: Access-Challenge packet from host 127.0.0.1:1812, id=172, length=63 User-Name = "admin" User-Password = "test" NAS-IP-Address = 127.0.0.1 NAS-Port = 123 Reply-Message = "PFJT" Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 PS C:\FreeRADIUS.net\bin> .\radtest.bat 收到了应答，里面带了挑战码 #使用挑战码去请求： C:\FreeRADIUS.net\bin>radclient.exe -d ..\etc\raddb -f radtest.txt -x -s 127.1 auth testing123 Sending Access-Request of id 0 to 127.0.0.1 port 1812 User-Name = "admin" User-Password = "PFJT" NAS-IP-Address = 127.0.0.1 NAS-Port = 123 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=0, length=57 User-Name = "admin" User-Password = "PFJT" NAS-IP-Address = 127.0.0.1 NAS-Port = 123 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 PS C:\FreeRADIUS.net\bin> .\radtest.bat 第二次使用挑战码请求，挑战码已经失效，应该请求失败： C:\FreeRADIUS.net\bin>radclient.exe -d ..\etc\raddb -f radtest.txt -x -s 127.1 auth testing123 Sending Access-Request of id 196 to 127.0.0.1 port 1812 User-Name = "admin" User-Password = "PFJT" NAS-IP-Address = 127.0.0.1 NAS-Port = 123 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=196, length=57 User-Name = "admin" User-Password = "PFJT" NAS-IP-Address = 127.0.0.1 NAS-Port = 123 Total approved auths: 0 Total denied auths: 1 Total lost auths: 0

再改进一下，回应的报文中少点请求的属性。

from pyrad import * import socket import pyrad.host import random BUFSIZE = 1024 KEY = b"testing123" CHALLENGE = "test2" class RadiusServer(pyrad.host.Host): def __init__(self): dict = pyrad.dictionary.Dictionary("dictionary.rfc2865") #从freeradius中搞一个通用的字典使用 pyrad.host.Host.__init__(self, dict=dict) def get_challenge(self): #产生一个4字节的随机挑战码 challenge = "" challenge = challenge + str(chr(random.randint(65,90))) challenge = challenge + str(chr(random.randint(65,90))) challenge = challenge + str(chr(random.randint(65,90))) challenge = challenge + str(chr(random.randint(65,90))) return challenge def check_pass(self, radpkt, get_pw): #检查用户名密码，这里简单处理一下，如果密码是test则发起挑战，如果输入正确的挑战码，回应正确，否则失败 global CHALLENGE print("check user") pwd = "" if 1 == get_pw: pwd = radpkt["User-Password"][0] if radpkt.PwCrypt(CHALLENGE) == pwd: radpkt.code = packet.AccessAccept CHALLENGE = self.get_challenge() #挑战码使用过后就更换掉 print("AccessAccept") elif radpkt.PwCrypt("test") == pwd: radpkt.code = packet.AccessChallenge CHALLENGE = self.get_challenge() radpkt.AddAttribute("Reply-Message", CHALLENGE) #把挑战码发给客户端 print("AccessChallenge， please input", CHALLENGE) else: radpkt.code = packet.AccessReject print("AccessReject") def get_pkt(self, pkt): get_pw = None get_name = None radpkt = self.CreateAuthPacket(packet=pkt) #解析请求报文 print("code:", radpkt.code) print("authenticator:", radpkt.authenticator) print("id:", radpkt.id) #radpkt.code = packet.AccessChallenge radpkt.secret = KEY for key in radpkt.keys(): print(key, radpkt[key]) if key == "User-Password": get_pw = 1 if key == "User-Name": get_name = 1 if 1 == get_pw and 1 == get_name: self.check_pass(radpkt, get_pw) reply = radpkt.CreateReply() for key in radpkt.keys(): if key == "User-Name": reply.AddAttribute("User-Name", radpkt["User-Name"][0]) if key == "Reply-Message": reply.AddAttribute("Reply-Message", radpkt["Reply-Message"][0]) if key == "NAS-IP-Address": reply.AddAttribute("NAS-IP-Address", radpkt["NAS-IP-Address"][0]) #reply.source = radpkt.source reply.code = radpkt.code return reply.ReplyPacket() ip_port = (\'\', 1812) server = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # udp协议 server.bind(ip_port) while True: data,client_addr = server.recvfrom(BUFSIZE) srv = RadiusServer() reply = srv.get_pkt(data) server.sendto(reply, client_addr)