3.0.0: slightly confusing mods-config/files/authorize "John Doe"
Hi, as every year, I'm unleashing the most current version of FreeRADIUS on my unsuspecting students, to see if they find their way around. This year it was 3.0.0 (yesterday, nice timing!) and there was one unfortunate thing. 3.0.0 by default enables "files" for flatfile username and password storage, which is good. In mods-config/files/authorize, the first "normal" entry (not Reject, proper cleartext-password, not a DEFAULT entry, only a single harmless reply item) is the example of "John Doe". In 2.x.x, I used to tell folks that the John Doe entry is the example to uncomment and test auth against. With the shipped default config of 3.0.0 though, John Doe will be rejected even if his password is correct - the "filter_username" will block the user before he even gets to password checking. IMHO, the mods-config/files/authorize should either a) contain a "normal" user higher up, so that it springs to mind as "the thing to do". E.g. a johndoe instead of/before a "John Doe" b) the comments before "John Doe" should explain that for this example to work, filter_username needs to be disabled. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Stefan Winter wrote:
With the shipped default config of 3.0.0 though, John Doe will be rejected even if his password is correct - the "filter_username" will block the user before he even gets to password checking.
Yes... spaces in user names should be discouraged.
IMHO, the mods-config/files/authorize should either
a) contain a "normal" user higher up, so that it springs to mind as "the thing to do". E.g. a johndoe instead of/before a "John Doe"
b) the comments before "John Doe" should explain that for this example to work, filter_username needs to be disabled.
I'll just change it to "JohnDoe". Alan DeKok.
Hi,
I'll just change it to "JohnDoe".
That guy still won't be able to authenticate; filter_username would reject him due to mixed case: filter_username { # # reject mixed case # e.g. "UseRNaMe" # if (User-Name != "%{tolower:%{User-Name}}") { reject } johndoe would work though. Stefan
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
participants (2)
-
Alan DeKok -
Stefan Winter