Multiple Cleartext-Password?
Has anyone made a patch to rlm_pap and rlm_chap so that it supports multiple instances of Cleartext-Password? The idea would be to succeed if the incoming request matches any one of them. (This could be helpful for a migration where a user could be logging in with one of several variants of the password in the database) Thanks, Brian.
Has anyone made a patch to rlm_pap and rlm_chap so that it supports multiple instances of Cleartext-Password? The idea would be to succeed if the incoming request matches any one of them.
You wouldn't have multiple Cleartext-Password attributes. You would just have one in the request (the one entered by the user). You want to compare against multiple passwords. Are you using the users file? If so, couldn't you just list multiple entries for each user (one for each password that is acceptable)?
On Wed, May 18, 2011 at 11:20:14AM -0400, Garber, Neal wrote:
Has anyone made a patch to rlm_pap and rlm_chap so that it supports multiple instances of Cleartext-Password? The idea would be to succeed if the incoming request matches any one of them.
You wouldn't have multiple Cleartext-Password attributes. You would just have one in the request (the one entered by the user).
The one entered by the user is in User-Password (or CHAP-Password or whatever), not Cleartext-Password.
You want to compare against multiple passwords.
The password that auth_pap/auth_chap compares against is in a Cleartext-Password attribute in the control list. So we'd need multiple instances of that.
Are you using the users file?
No, we're using mysql, but it doesn't make any difference to this discussion.
If so, couldn't you just list multiple entries for each user (one for each password that is acceptable)?
That doesn't work - try it and see: somebody Cleartext-Password := "foo" Fall-Through = Yes somebody Cleartext-Password += "bar" The auth_pap / auth_chap modules only validate the first Cleartext-Password found. Regards, Brian.
Brian Candler wrote:
Has anyone made a patch to rlm_pap and rlm_chap so that it supports multiple instances of Cleartext-Password? The idea would be to succeed if the incoming request matches any one of them.
My $0.02 is to use rlm_perl, and do the password comparison yourself.
(This could be helpful for a migration where a user could be logging in with one of several variants of the password in the database)
I see how that's useful, but that kind of thing worries me a lot. It can be used/abused in many ways. I could see the code going in for 3.0, but only in a way where it takes work to enable it. Otherwise, most people using it will get it wrong. Alan DeKok.
On Wed, May 18, 2011 at 05:33:01PM +0200, Alan DeKok wrote:
I see how that's useful, but that kind of thing worries me a lot. It can be used/abused in many ways.
I could see the code going in for 3.0, but only in a way where it takes work to enable it. Otherwise, most people using it will get it wrong.
OK. Thanks for the feedback Alan. If there were a loop scanning for Cleartext-Password attributes, instead of using pairfine(), there could still be a flag which makes it stop after the first one. I'll see if the need arises, and then follow your guidance if I end up implementing it. Regarding 3.0: will this be forked from v2.1.x? The 'master' branch has had hardly any commits for a while, and the last time I tried to build it it failed. Regards, Brian.
Brian Candler wrote:
If there were a loop scanning for Cleartext-Password attributes, instead of using pairfine(), there could still be a flag which makes it stop after the first one.
Yes.
Regarding 3.0: will this be forked from v2.1.x? The 'master' branch has had hardly any commits for a while, and the last time I tried to build it it failed.
The git "master" branch works. It will become 3.0 this year. Alan DeKok.
On Wed, 2011-05-18 at 14:57 +0100, Brian Candler wrote:
Has anyone made a patch to rlm_pap and rlm_chap so that it supports multiple instances of Cleartext-Password? The idea would be to succeed if the incoming request matches any one of them.
(This could be helpful for a migration where a user could be logging in with one of several variants of the password in the database)
You can use LDAP for authentication. At least OpenLDAP allows multiple userPassword's: bind succeeds if supplied password matches any. -- Alexander M. Pravkin
On Thu, May 19, 2011 at 09:39:05AM +0400, Alexander M. Pravkin wrote:
(This could be helpful for a migration where a user could be logging in with one of several variants of the password in the database)
You can use LDAP for authentication. At least OpenLDAP allows multiple userPassword's: bind succeeds if supplied password matches any.
Unforunately, LDAP bind authentication doesn't work for CHAP (which is used by the majority of ADSL in the UK). rlm_auth_chap needs the cleartext password.
participants (4)
-
Alan DeKok -
Alexander M. Pravkin -
Brian Candler -
Garber, Neal