On Fri, May 09, 2008 at 08:17:25PM +0100, Yago Fdez. Hansen wrote:
Dana 9/5/2008, "Yago Fdez. Hansen" <sti@soportec.com> piše:
Hi everybody:
I am installing a lab test server with Freeradius 2.0.4 with all the authentication installed: CHAP, PAP, EAP and authorization over MySQL, users, system, and LDAP.
I installed it in the few last days and I have everything working now, but as I was testing it, I could notice a bug. I created users in every DB and file all of them with own password and user entries. When I was testing with radtest ALL worked fine, but I noticed that ONLY with PAP authentication and MySQL user it doesn't matter if I put a clear password in radtest larger than the original one I get an Access-Accept message.
Example:
radtest papsqluser papsecret localhost 0 testing123 Access-Accept
radtest papsqluser papsecret43343 localhost 0 testing123 Access-Accept
mysql> select * from radcheck -> ; +----+-------------+----------------+----+---------------+ | id | username | attribute | op | value | +----+-------------+----------------+----+---------------+ | 1 | Chapsqluser | User-Password | == | chapsecret | | 2 | Chapsqluser | Auth-Type | := | Local | | 3 | Papsqluser | Crypt-Password | == | /gTPHauHkNjWE | | 4 | Papsqluser | Auth-Type | := | Crypt-Local | +----+-------------+----------------+----+---------------+ 4 rows in set (0.00 sec)
The DES crypt algorithm only deals with the first 8 characters of the password. No bug, working as designed. -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org