Local User with multiple passwords (or RegEX passwords) possible?

Equin Nix equin.nix at googlemail.com
Thu Jul 7 15:09:27 CEST 2011


Phil, you got it working!

All of what you wrote was right:
- added Cleartext-Password2 to
/usr/share/freeradius/dictionary.freeradius.internal
- created user file like this:
user Cleartext-Password := "1", Cleartext-Password2 += "2"
- updated sites-enabled/default to look like this (*authorize *section)

[..]
        #
        #  Read the 'users' file
        files {
        }

        if (("%{User-Password}" != "%{control:Cleartext-Password}") &&
("%{User-Password}" != "%{control:Cleartext-Password2}")) {
                update reply {
                        Reply-Message = "I suck at FreeRadiusing!"
                }
        reject
        }
        else {
                update control {
                        Auth-Type := Accept
                }
        }
[..]

If I can buy you a beer or something (thinking of
https://secure.wikimedia.org/wikipedia/en/wiki/Beerware or
https://secure.wikimedia.org/wikipedia/en/wiki/Postcardware) just email me
:)

Best Regards




2011/7/7 Equin Nix <equin.nix at googlemail.com>

> Hi Phil,
>
> thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to
> be far far from mine, but I think I get the point.
>
> I tried to add the following to *sites-enabled/default* (int authorize
> section) (Its not a full copy of your text, I wanted to start step by step):
>
> [...]
>         #
>         #  Read the 'users' file
>         files {
>                 # compare them
>                 if (User-Password != control:Cleartext-Password) {
>
>                         reject
>                 }
>
>
>                 # probably need to set Auth-Type := Accept here
>                 update control {
>                         Auth-Type := Accept
>                 }
>         }
> [...]
>
> and freeradius won't start (even if I remove the update control section).
> This is the error:
> [...]
> /etc/freeradius/sites-enabled/default[154]: Subsection of module instance
> call not allowed
> /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize
> section.
>
> Any idea what might cause the trouble? Line 154 is the "if
> (User-Password...." line.
>
> BTW: It is not possible with RegEx?
>
> Best regards from Germany
>
>
>
>
> 2011/7/7 Phil Mayers <p.mayers at imperial.ac.uk>
>
>> On 07/07/11 09:51, Equin Nix wrote:
>>
>>> Hi,
>>>
>>> I am trying to set up something very basic (at least from my point of
>>> view): I would like to have a User with multiple passwords (two
>>> actually). How would I do this? I tried the following:
>>>
>>> /alice Auth-Type=Local, Cleartext-Password := "test1"
>>> alice Auth-Type=Local, Cleartext-Password := "test2"/
>>>
>>
>> Do not set Auth-Type. It's almost always wrong, and is certainly wrong in
>> this case.
>>
>>
>> It might be possible to have >1 password; but it will probably only work
>> for PAP requests, unless you play carefully with module failover.
>>
>> It also probably won't work in the "users" file; this is because the
>> "User-Password" attribute is handled specially here, as a compatibility
>> synonym for Cleartext-Password.
>>
>> You could try something like this - define a second password attribute in
>> raddb/dictionary:
>>
>>
>> ATTRIBUTE       Cleartext-Password2     3002    string
>>
>> ...then set both in the "users" file:
>>
>> alice   Cleartext-Password := "foo", Cleartext-Password2 := "bar"
>>
>> ...then use unlang to perform the comparisons in sites-enabled/default:
>>
>> authorize {
>>
>>  ...
>>  # read the passwords from "files"
>>  files
>>  # compare them
>>  if ((User-Password != control:Cleartext-Password) && \
>>      (User-Password != control:Cleartext-Password2)) {
>>    reject
>>  }
>>
>>  # probably need to set Auth-Type := Accept here
>>  update control {
>>    Auth-Type := Accept
>>  }
>> }
>>
>> If you want to do this with requests that aren't PAP e.g. CHAP,
>> MSCHAP/PEAP etc. then it will be much harder.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
>> list/users.html <http://www.freeradius.org/list/users.html>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110707/b279fee6/attachment.html>


More information about the Freeradius-Users mailing list