Non-ascii username and linelog

Jean-Marc TÊTU jm.tetu at telecom-bretagne.eu
Tue Jun 7 11:32:35 CEST 2016


Hello,

First : sorry for my very bad English...

We run a Freeradius 3.0.11 on an ubuntu 14.04. 
And il seems that one of our students find the way to put KO our server.

He tries to authenticate with a  user-name in non ASCII and freeradius crash on the write ( in linelog module ) of  %{User-Name}

linelog {
....
 messages {
                default = "Unknown packet type %{Packet-Type}"

           Access-Accept = "%D:%H:%G : Accept : %{User-Name} : %{Calling-Station-Id} : %{NAS-IP-Address} : %{Called-Station-Id}"
           Access-Reject = "%D:%H:%G : Reject : %{User-Name} : %{Calling-Station-Id} : %{NAS-IP-Address} : %{Called-Station-Id}"

 }
...
}


The user-name seem to be a UTF-8 Unicode text.
I isolate the guilty string  in a file (wke) :


hexdump -C wke 
00000000  ef bd 97 ef bd 8b ef bd  85 0a                    |..........|
0000000a

cat wke 
wke



I reproduce the problem with the initial example of configuration for freeradius modified for use of linelog (in post-auth section) , the (partial) result of radiusd -X :


Ready to process requests
(1) Received Access-Request Id 34 from 127.0.0.1:43956 to 127.0.0.1:1812 length 79
(1)   User-Name = "wke"
(1)   User-Password = "hello"
(1)   NAS-IP-Address = 127.0.1.1
(1)   NAS-Port = 0
(1)   Message-Authenticator = 0x6bbba1a108aee843ee5c78a8efcf4788
(1) # Executing section authorize from file /usr/local/FR3011/etc/raddb//sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (!&User-Name) {
(1)       if (!&User-Name)  -> FALSE
(1)       if (&User-Name =~ / /) {
(1)       if (&User-Name =~ / /)  -> FALSE
(1)       if (&User-Name =~ /@.*@/ ) {
(1)       if (&User-Name =~ /@.*@/ )  -> FALSE
(1)       if (&User-Name =~ /\.\./ ) {
(1)       if (&User-Name =~ /\.\./ )  -> FALSE
(1)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)       if (&User-Name =~ /\.$/)  {
(1)       if (&User-Name =~ /\.$/)   -> FALSE
(1)       if (&User-Name =~ /@\./)  {
(1)       if (&User-Name =~ /@\./)   -> FALSE
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "wke", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1)     [files] = noop
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password is available
(1)     [pap] = noop
(1)   } # authorize = ok
(1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/FR3011/etc/raddb//sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(1) linelog:    --> messages.Access-Reject
(1) linelog: EXPAND /usr/local/FR3011/var/log/radius/linelog
(1) linelog:    --> /usr/local/FR3011/var/log/radius/linelog


with this configuration :


# Loading module "linelog" from file /usr/local/FR3011/etc/raddb//mods-enabled/linelog
  linelog {
        filename = "/usr/local/FR3011/var/log/radius/linelog"
        escape_filenames = no
        syslog_severity = "info"
        permissions = 384
        format = "This is a log message for %{User-Name}"
        reference = "messages.%{%{reply:Packet-Type}:-default}"
  }


If somebody have an idea....

And thanks to have read this very long text (in an incorrect english)..... 


-- 

-- 
Cordialement,

Jean-Marc Têtu

--------------------------------------------------------------
Jean-Marc Têtu, Direction Informatique et Système d'Information 
Tel : 02 29 00 10 87,  Email: jm.tetu at telecom-bretagne.eu
Institut Mines-Télécom -  TELECOM Bretagne
Pointe du Diable
CS 83818
29238 BREST CEDEX 3
--------------------------------------------------------------




More information about the Freeradius-Users mailing list