rlm_perl and CHAP authentication
Hi all! It seems CVS version of rlm_perl may have some negative impact on CHAP authentication. If you use rlm_perl in authorize{}, it will replace request vps with contents of %RAD_REQUEST. After that, request->username and request->password are updated. Result is, that rlm_chap in authenticate{} is not able to find CHAP password any more. main/auth.c fallbacks to searching for PW_CHAP_PASSWORD if PW_PASSWORD is not found. Would it make sense to do the same in rlm_perl? Something like: --- rlm_perl.c.orig 2007-02-08 17:11:48.000000000 +0100 +++ rlm_perl/rlm_perl.c 2007-02-08 17:26:43.000000000 +0100 @@ -1069,6 +1069,11 @@ PW_USER_NAME); request->password = pairfind(request->packet->vps, PW_USER_PASSWORD); + /* User-Password not found, try CHAP-Password */ + if (request->password == NULL) { + request->password = pairfind(request->packet->vps, + PW_CHAP_PASSWORD); + } } if ((get_hv_content(rad_reply_hv, &vp)) > 0 ) { Maybe modifying rlm_chap may be better approach... Ideas? th.
Tomas Hoger wrote:
Hi all!
It seems CVS version of rlm_perl may have some negative impact on CHAP authentication. If you use rlm_perl in authorize{}, it will replace request vps with contents of %RAD_REQUEST. After that, request->username and request->password are updated. Result is, that rlm_chap in authenticate{} is not able to find CHAP password any more. main/auth.c fallbacks to searching for PW_CHAP_PASSWORD if PW_PASSWORD is not found.
OK, I've fixed that in rlm_perl, and updated rlm_chap && src/main/auth.c to be a little smarter about looking for CHAP-Password Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Fri, Feb 09, 2007 at 02:10:03PM +0100, Alan DeKok wrote:
It seems CVS version of rlm_perl may have some negative impact on CHAP authentication. If you use rlm_perl in authorize{}, it will replace request vps with contents of %RAD_REQUEST. After that, request->username and request->password are updated. Result is, that rlm_chap in authenticate{} is not able to find CHAP password any more. main/auth.c fallbacks to searching for PW_CHAP_PASSWORD if PW_PASSWORD is not found.
OK, I've fixed that in rlm_perl, and updated rlm_chap && src/main/auth.c to be a little smarter about looking for CHAP-Password
Regarding changes in rlm_chap - looking into the code, I see you have added explicit pairfind for CHAP password and vp pointer is stored in chap. However, request->password is used for length checking right below and further down in function. In worst case, this can be NULL. That's what happened with previous version of rlm_perl. th.
Tomas Hoger wrote:
Regarding changes in rlm_chap - looking into the code, I see you have added explicit pairfind for CHAP password and vp pointer is stored in chap. However, request->password is used for length checking right below and further down in function. In worst case, this can be NULL. That's what happened with previous version of rlm_perl.
Fixed, thanks. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Tomas Hoger