All password checks disabled... ugh

Stefan Winter stefan.winter at restena.lu
Wed Apr 16 09:26:49 CEST 2014 

Hi,

> As you can see, staff/authorize/pap actually found the NT-Password and did it's stuff with it.
> 
> If you compare that with the same pap instance on the other request, it just says noop.

And if you look at the previous line, in the correct flow also the
eap-staff module is not silent, prints out "eap-staff : No EAP-Message,
not doing EAP"; but on the incorrect one, it only prints "noop".

> So, I can only suspect that the proxy-to-vserver functionality breaks it.

And this continues to be my suspicion.

Stefan

> 
> Greetings,
> 
> Stefan Winter
> 
> 
> On 15.04.2014 10:26, Stefan Winter wrote:
>> Hi,
>>
>> posting to devel, as this is possibly a severe bug. Apologies if not.
>>
>> In FR 2, I authenticated our staff against a users-style file, setting NT-Password := ...
>>
>> Their passwords were checked.
>>
>> In FreeRADIUS 3, I retained this, NT-Passwords are found, pap returns noop(?), authorize returns ok, and then I see 
>>
>> Auth-Type = Accept, accepting the user
>>
>> *regardless of his password* ?
>>
>> I've rolled back the one affected vserver that had this problem, but would be really interested in an explanation. here is the -X flow:
>>
>> rad_recv: Access-Request packet from host 158.64.1.65 port 46814, id=96, length=63
>>         User-Name = 'ctompers'
>>         User-Password = ''
>>         NAS-Identifier = 'AAI-Staff-IdP'
>> (11) # Executing section authorize from file /usr/local/freeradius/config/raddb/sites-enabled/AAI
>> (11)   authorize {
>> (11)    if ( NAS-Identifier == "AAI-Staff-IdP" ) 
>> (11)    if ( NAS-Identifier == "AAI-Staff-IdP" )  -> TRUE
>> (11)   if ( NAS-Identifier == "AAI-Staff-IdP" )  {
>> (11)    update request {
>> (11)    RESTENA-Service-Type := 'Staff-AAI'
>> (11)    } # update request = noop
>> (11)   } # if ( NAS-Identifier == "AAI-Staff-IdP" )  = noop
>> (11)    ... skipping else for request 11: Preceding "if" was taken
>> (11) suffix : No '@' in User-Name = "ctompers", looking up realm NULL
>> (11) suffix : No such realm "NULL"
>> (11)   [suffix] = noop
>> (11)    if ( NAS-Identifier == "AAI-Staff-IdP" ) 
>> (11)    if ( NAS-Identifier == "AAI-Staff-IdP" )  -> TRUE
>> (11)   if ( NAS-Identifier == "AAI-Staff-IdP" )  {
>> (11)    update control {
>> (11)    Proxy-To-Realm := 'TO-STAFF'
>> (11)    } # update control = noop
>> (11)   } # if ( NAS-Identifier == "AAI-Staff-IdP" )  = noop
>> (11)    ... skipping else for request 11: Preceding "if" was taken
>> (11)  } #  authorize = noop
>> Proxying to virtual server staff
>> (11) # Executing section authorize from file /usr/local/freeradius/config/raddb/sites-enabled/staff
>> (11)   authorize {
>> (11)    if ( "%{NAS-Identifier}" == "ejabberd" ) 
>> (11) EXPAND %{NAS-Identifier}
>> (11)    --> AAI-Staff-IdP
>> (11)    if ( "%{NAS-Identifier}" == "ejabberd" )  -> FALSE
>> (11)    elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" ) 
>> (11) EXPAND %{NAS-Identifier}
>> (11)    --> AAI-Staff-IdP
>> (11)    elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" )  -> TRUE
>> (11)   elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" )  {
>> (11)    update request {
>> (11)    RESTENA-Service-Type = 'Staff-AAI'
>> (11)    } # update request = noop
>> (11)   } # elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" )  = noop
>> (11)    ... skipping else for request 11: Preceding "if" was taken
>> (11)    if ( "%{client:staff_type}" == "Nagios-Login" && User-Name == "testuser.monitor" ) 
>> (11) Client does not contain config item "staff_type"
>> (11) EXPAND %{client:staff_type}
>> (11)    --> 
>> (11)    if ( "%{client:staff_type}" == "Nagios-Login" && User-Name == "testuser.monitor" )  -> FALSE
>> (11)    if ( "%{RESTENA-Service-Type}" == "Staff-Jabber" ) 
>> (11) EXPAND %{RESTENA-Service-Type}
>> (11)    --> Staff-AAI
>> (11)    if ( "%{RESTENA-Service-Type}" == "Staff-Jabber" )  -> FALSE
>> (11) auth_log_silent : EXPAND /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail
>> (11) auth_log_silent :    --> /var/log/radius/radacct/20140415/Staff-AAI-service/auth-detail
>> (11) auth_log_silent : /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail expands to /var/log/radius/radacct/20140415/Staff-AAI-service/auth-detail
>> (11) auth_log_silent : EXPAND %t
>> (11) auth_log_silent :    --> Tue Apr 15 09:57:57 2014
>> (11)   [auth_log_silent] = ok
>> (11)    if ( "%{RESTENA-Service-Type}" == "Staff-IMAP" && "%{strlen:%{User-Password}}" == "96" ) 
>> (11) EXPAND %{RESTENA-Service-Type}
>> (11)    --> Staff-AAI
>> (11)    if ( "%{RESTENA-Service-Type}" == "Staff-IMAP" && "%{strlen:%{User-Password}}" == "96" )  -> FALSE
>> (11)   else else {
>> (11) staff-auth : users: Matched entry ctompers at line 22
>> (11)    [staff-auth] = ok
>> (11)   } # else else = ok
>> (11)    if ( "%{RESTENA-Service-Type}" == "Staff-AAI" ) 
>> (11) EXPAND %{RESTENA-Service-Type}
>> (11)    --> Staff-AAI
>> (11)    if ( "%{RESTENA-Service-Type}" == "Staff-AAI" )  -> TRUE
>> (11)   if ( "%{RESTENA-Service-Type}" == "Staff-AAI" )  {
>> (11) staff-attributes : users: Matched entry ctompers at line 45
>> (11)    [staff-attributes] = ok
>> (11)   } # if ( "%{RESTENA-Service-Type}" == "Staff-AAI" )  = ok
>> (11)   [mschap] = noop
>> (11)   [eap-staff] = noop
>> (11)   [pap] = noop
>> (11)    if ( "%{Packet-Src-IP-Address}" == "158.64.1.229" ) 
>> (11) EXPAND %{Packet-Src-IP-Address}
>> (11)    --> 158.64.1.65
>> (11)    if ( "%{Packet-Src-IP-Address}" == "158.64.1.229" )  -> FALSE
>> (11)  } #  authorize = ok
>> (11) Auth-Type = Accept, accepting the user
>> (11) # Executing section post-auth from file /usr/local/freeradius/config/raddb/sites-enabled/staff
>> (11)   post-auth {
>> (11)   restena_log_policy restena_log_policy {
>>
>> You see two files matches:
>>
>> the first one, "staff-auth : users: Matched entry ctompers at line 22" is the NT-Password:
>>
>> [...]
>> ctompers      NT-Password := EA38E7ADC559499F31CF4FA0F195ABCD
>> [...]
>>
>> (the password hash is edited)
>>
>> The second match is a series of reply attributes, none of which is Auth-Type of course. The match at that line 45 is expected.
>>
>> But... WHY does it not check the password against the NT-Password? This same config works with FreeRADIUS 2; pap returns updated, authorize returns updated, and authenticate checks the input against the configured password?
>>
>> Greetings,
>>
>> Stefan Winter
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
>>
> 
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3243 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140416/a3ee7dd8/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140416/a3ee7dd8/attachment-0001.pgp>

More information about the Freeradius-Devel mailing list