username with sereral passwords. Which op value?

John Dennis jdennis at redhat.com
Wed Apr 22 19:31:22 CEST 2009


Santiago Balaguer García wrote:
>  Hi,
>  
>   I want the 'san0001' user has two passwords.  There is in my 
> radcheck table:
>  
>               Username |   Attribute   | op  | value
>               ------------------------------------
>                 san0001   Password       ??      santi1
>                 san0001   Password       ??      santi2
>  
> Which op value  have to use (=, :=, +=, ==) ?

Multiple valid passwords for a single user is a bad idea for a host of 
reasons. On top of that the username field should be a unique primary 
key disallowing duplicates enforced by the SQL database. I have no clue 
what it means to query a username and get multiple rows back and I 
suspect the internal code would be confused by this as well (note I have 
not looked at the code in question, but I would suspect it would do one 
of two things, use the first row returned or fail with an error if 
multiple rows). The concept of iterating over multiple rows until a 
password finally works is so dubious I would be most surprised if it 
were coded this way (and if it was I'd consider it a bug and security flaw).

The short answer is don't do this and don't expect the server to work 
this way.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090422/4f64c7c7/attachment.html>


More information about the Freeradius-Users mailing list