Old password 'grace period'

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Thu Jun 25 14:31:58 CEST 2009 

On 25/6/09 13:11, Ivan Kalik wrote:
>>> I have tested something like this yesterday - it doesn't. You can't just
>>> replace Cleartext-Password. NT-Password and LM-Passowrd were created for
>>> the "new" password and mschap module will reuse them, completely
>>> ignoring
>>> "old" Cleartext-Password. They need to be removed or replaced before
>>> mschap module is called again.
>> Writes the NT-Password and LM-Password values back to the control list of
>> the request.
>>
>> But seeing as the values are just being stored in the control list of the
>> request,
>> we can remove them using unlang.
>>
>>
>> authenticate {
>>       mschap {
>
> Just for the readers of the list - the section is Auth-Type MS-CHAP not
> mschap.

Oops, yep Auth-Type MS-CHAP.


>
>>           update control {
>>               Cleartext-Password := "%{sql_new:SELECT<cleartext password
>> query...>}"
>>           }
>>           mschap {
>>               reject = 2
>>           }
>
> Ah, so that's how you make if work.

Yep. Otherwise reject has a priority/opcode of reject, and the request is rejected ;)

>
>>           if(reject){
>>               update control {
>> 		NT-Password -= "%{control:NT-Password}"
>> 		LM-Password -= "%{control:LM-Password}"
>
> Yes, I had that lined up, but couldn't get if to work.
>
>>                   Cleartext-Password := "%{sql_old:SELECT<cleartext
>> password query...>}"
>>               }
>>               mschap
>>           }
>>       }
>> }
>
> Ok, pap failover done this way now works. I can't test mschap from where I
> am right now but I don't see a problem any more. My construction is
> slightly different - I read only replacement password from sql assuming
> that the usual one is pulled by regular sql queries (my scenario has
> Cleartext-Password and custom attribute Old-Password both in same radcheck
> table).

That should work fine too.

So you can just swap out the first update control { Cleartext-Password .... } bit for a call to the SQL module. Though you'd probably want to put it in the authorise section...


So it'd be something like :

instantiate {
	sql_old
}

authorize {
	# Retrieves credentials
	sql_new
	# Sets auth-type mschap
	mschap
}

authenticate {
	Auth-Type MS-CHAP {
		mschap {
			reject = 2
		}
		if(reject){
			# Remove stale password hashes created on first call to rlm_mschap
			update control {
				NT-Password -= "%{control:NT-Password}"
				LM-Password -= "%{control:LM-Password}"
				Cleartext-Password := "%{sql_old:SELECT<cleartext password query...>}"
			}
			mschap
		}
	}
}

Arran

-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2

More information about the Freeradius-Users mailing list