2.x.x (and earier?): yet another decoding SSHA issue

Stefan Winter stefan.winter at restena.lu
Mon Jul 22 10:39:44 CEST 2013 

Hi,

> 0x%{base64tohex: %{control:RESTENA-SSHA1-Password1}}

Sorry (again), but this still doesn't get the job done. xlat is
now happy and produces a hex value, but it must be doing something
wrong; I'm getting "Passwords don't match.". This is today's GIT of
2.x.x.

Since this is an en-/decoding thing, I don't mind sending a
temporary cleartext password along with the debug.

I can confirm that the base64 hash itself is in order: if I send
the incoming request to a different virtual server, which uses the
DB's SSHA1-Password attribute directly, I can authenticate.

Greetings,

Stefan Winter

# ./radtest swinter Exclamation\!Mark123 127.0.0.1:1812 123 testing123
Sending Access-Request of id 171 to 127.0.0.1 port 1812
        User-Name = "swinter"
        User-Password = "Exclamation!Mark123"
        NAS-IP-Address = 158.64.2.206
        NAS-Port = 123
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=171, length=20

And the relevant part of the debug output is:

++- entering policy redundant {...}
[sql-smtp-hash]         expand: %{User-Name} -> swinter
[sql-smtp-hash] sql_set_user escaped user --> 'swinter'
rlm_sql (sql-smtp-hash): Reserving sql socket id: 2
[sql-smtp-hash]         expand: (SELECT id, username, 'RESTENA-SSHA1-Password', value, op FROM check_smtp_ssha1 WHERE username='%{SQL-User-Name}') -> (SELECT id, username, 'RESTENA-SSHA1-Password', value, op FROM check_smtp_ssha1 WHERE username='swinter')
rlm_sql_mysql: query:  (SELECT id, username, 'RESTENA-SSHA1-Password', value, op FROM check_smtp_ssha1 WHERE username='swinter')
[sql-smtp-hash] User found in radcheck table
rlm_sql (sql-smtp-hash): Released sql socket id: 2
+++[sql-smtp-hash] returns ok
++- policy redundant returns ok
        expand: %{control:RESTENA-SSHA1-Password} -> oPQYKSRg5w8XWEiJCcNtzKRhUhtJMUQ/WjdCWlVQS2JWN2Qz
        expand: 0x%{base64tohex: %{control:RESTENA-SSHA1-Password}} -> 0xffff18292460ff0f175848ff09ff6dffff61521b4931443f5a37425a55504b6256376433
++[control] returns ok
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /usr/local/freeradius/config/raddb/sites-enabled/SMTP
+- entering group PAP {...}
++- entering policy pap_hash_debugfallback {...}
+++- entering group  {...}
[pap] login attempt with password "Exclamation!Mark123"
[pap] Using SSHA encryption.
[pap] Passwords don't match
++++[pap] returns reject
++++? if ("%{control:RESTENA-Debug-Password}" )
        expand: %{control:RESTENA-Debug-Password} -> 
? Evaluating ("%{control:RESTENA-Debug-Password}" ) -> FALSE
++++? if ("%{control:RESTENA-Debug-Password}" ) -> FALSE
[pap] login attempt with password "Exclamation!Mark123"
[pap] Using SSHA encryption.
[pap] Passwords don't match
++++[pap] returns reject
+++- group  returns reject
++- policy pap_hash_debugfallback returns reject
Failed to authenticate the user.
} # server SMTP

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20130722/227d67b7/attachment.pgp>

More information about the Freeradius-Devel mailing list