All password checks disbaled... ugh

Stefan Winter stefan.winter at restena.lu
Tue Apr 15 18:49:10 CEST 2014 

Hi,

> Hi,
>
> On Tue, Apr 15, 2014 at 10:26:22AM +0200, Stefan Winter wrote:
>> In FreeRADIUS 3, I retained this, NT-Passwords are found, pap
>> returns noop(?), authorize returns ok, and then I see 
>>
>> Auth-Type = Accept, accepting the user
>>
>> *regardless of his password* ?
> Can't reproduce it here. Have you got a minimal config that
> creates it?

Sorry, limited time to work on this today. Maybe tomorrow.

> The pap module returns noop without printing output in only a very
> few cases, the only ones really is if it can't find a password and
> you're proxying or some eap types are set.

As you see, no proxying (no suffix module at all) nor EAP-Message in the
debug log.

> The only case I can see is if the dictionary lookup for the module
> name fails, and it can't set the auth-type name correctly. But
> even then it sets Auth-Type to 0, not 254 (Accept).

I have looked at other occasions where NT-Password gets used (e.g. we
have a vserver which pulls it out of SQL). I guess I should be seeing
that normify() outputs something in the debug output I sent - but not at
all. It is hex-encoded though, so the RDEBUG2 inside normify can't
possibly be silent.

This makes me believe that the NT-Password is not actually evaluated .
But then again, the log also says that the line matched, so it should
really get going.

Wondering about inst->normify - that's inside an if. Maybe it is false,
so pw_found is set to true, but the normifying is never done? I also see
that instantiate() does not set inst->normify. Does it have to? Not good
enough in C to answer this.

I should also note that other clients are mapped to the same virtual
server - and check the password correctly. It only fails
deterministically for two clients of that virtual server.

Greetings,

Stefan Winter


>
>
> ...
>> (11)   [mschap] = noop
>> (11)   [eap-staff] = noop
>> (11)   [pap] = noop
>> (11)    if ( "%{Packet-Src-IP-Address}" == "158.64.1.229" ) 
>> (11) EXPAND %{Packet-Src-IP-Address}
>> (11)    --> 158.64.1.65
>> (11)    if ( "%{Packet-Src-IP-Address}" == "158.64.1.229" )  -> FALSE
>> (11)  } #  authorize = ok
>> (11) Auth-Type = Accept, accepting the user
> ...
>
>
> Are you sure it's definitely the pap module that's setting
> Auth-Type? If you comment it out, does the blank password still
> authenticate?
>
> If so, a binary chop on your config to find the culprit may be
> helpful.
>
> Matthew
>
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140415/66d233de/attachment.pgp>

More information about the Freeradius-Devel mailing list