On 3 Oct 2012, at 11:53, Matthew Newton <mcn4@LEICESTER.AC.UK> wrote:
Hi,
On Sat, Sep 29, 2012 at 06:58:00AM +0200, Alan DeKok wrote:
Matthew Newton wrote:
As another thought, maybe rlm_pap should now also refuse to auth against a password in User-Password? I moved the warning over from auth.c, but pap still allows it to work. 3.0 would seem to be a good place to finally break this.
It's probably a good idea. Doing the User-Password thing breaks many authentication types. It's time to NOT be backwards compatible with 10+ years of stupidity.
Cleartext-Password has been around since 1.1.3. It's time people used it.
On this basis, I've made a new patch which removes User-Password checking from rlm_pap auth entirely, and moves the warning from auth back to the autz (but then fails auth).
I guess it's a balance between forcing the Right Thing, and the number of questions on freeradius-users... although I guess they will be many when 3.0 is released anyway.
Hopefully the documentation will be clear on the subject. See raddb/README.md. It explains the upgrade process.
There's also a patch which adds a warning to the documentation that User-Password should be updated to Cleartext-Password.
Both at https://github.com/mcnewton/freeradius-server/commits/rlm_pap_tidy
Patch looks good, pull request? -Arran