xlat failure in 2.1.8 (worked in 2.1.6)
Hi, after an upgrade from 2.1.6+ (a GIT version shortly after 2.1.6) to 2.1.8, we see failed mschap xlat on some exotic passwords. After some tests, we think that either the space character (" ") or the single quote ("'") cause xlat to fail. The basic use scenario is a mySQL DB backend which pulls a NT-Hash for the user. Input is PAP, so rlm_pap calls xlat:NT-Hash for the input, and then returns with the log message that mschap xlat failed. I've traced down the code in rlm_pap (no changes between the two versions), rlm_mschap (only unrelated changes), and main/xlat.c. xlat.c seems to have had a *major* revision in between. For the moment, I rolled back to 2.1.6+ (and had to give up on the "do_not_respond feature, sigh) but it would sure be nice if this worked again :-/. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
Stefan Winter wrote:
After some tests, we think that either the space character (" ") or the single quote ("'") cause xlat to fail.
OK.
The basic use scenario is a mySQL DB backend which pulls a NT-Hash for the user. Input is PAP, so rlm_pap calls xlat:NT-Hash for the input, and then returns with the log message that mschap xlat failed.
Debug says?
I've traced down the code in rlm_pap (no changes between the two versions), rlm_mschap (only unrelated changes), and main/xlat.c. xlat.c seems to have had a *major* revision in between.
Yes. The old code in xlat.c was wrong. It didn't do conditional expansion correctly. On looking into that, it did a number of other things wrong, too. i.e. it's a bit surprising that it worked. The new code is clearer, and doesn't have the problems of the old code.
For the moment, I rolled back to 2.1.6+ (and had to give up on the "do_not_respond feature, sigh) but it would sure be nice if this worked again :-/.
Send a test case over, and I'll take a look. It should be easy to fix, as the new code isn't insane. Alan DeKok.
Hi,
The basic use scenario is a mySQL DB backend which pulls a NT-Hash for the user. Input is PAP, so rlm_pap calls xlat:NT-Hash for the input, and then returns with the log message that mschap xlat failed.
Debug says?
It seems to be the single quote. Sorry for not attching it in the first place, debug from separate test box below: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 53873, id=57, length=64 User-Name = "xlat-to-hell" User-Password = "abc'def" NAS-IP-Address = 158.64.1.155 NAS-Port = 123 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "xlat-to-hell", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry xlat-to-hell at line 59 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "abc'def" [pap] Using NT encryption. [pap] Badly formatted variable: %{mschap:NT-Hash abc'def} [pap] mschap xlat failed [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject
Send a test case over, and I'll take a look. It should be easy to fix, as the new code isn't insane.
Above debug was on such a test instance. Fresh compilation an install, one line with Auth-Type := PAP, NT-Password := "0xsomething", radtest with the bad password in it. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
Stefan Winter wrote:
It seems to be the single quote. Sorry for not attching it in the first place, debug from separate test box below:
OK. A fix has been pushed to the "v2.1.x" branch on github && git.freeradius.org. The solution is to fix the PAP && MS-CHAP modules so that they use %{...} correctly. Alan DeKok.
participants (2)
-
Alan DeKok -
Stefan Winter