FreeRADIUS 3.0 - Help with understanding op value for cleartext-password
Hi all, I've got my server working ok, one thing that I'm curious about is why the op value for Cleartext-Password is ':=' rather than '==' ? As my google-fu appears to be lacking I figured I might as well ask the question. Thanks, Ian.
Am Mittwoch, 6. Juli 2016, 12:06:28 schrieb Ian Hiddleston:
Hi all,
I've got my server working ok, one thing that I'm curious about is why the op value for Cleartext-Password is ':=' rather than '==' ?
As my google-fu appears to be lacking I figured I might as well ask the question.
Thanks, Ian.
goole: man 5 users bash: man 5 users Attribute := Value Always matches as a check item, and replaces in the configuration items any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added. As a reply item, it has an identical meaning, but for the reply items, instead of the request items. Attribute == Value As a check item, it matches if the named attribute is present in the request, AND has the given value. Not allowed as a reply item. if you use "==" the Cleartext-Password must be in the incomming RADIUS request. Very unlikely. Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Ah, that makes sense! I'm asking because I was sat staring at this for a bit before figuring it out. I did read through the Operators bit on the website, I guess I failed pretty hard at getting the wider picture logic though. At the time I was trying to match a plaintext password in the request to a plaintext password in the DB, which I thought would work with '=='. We don't use these accounts for anything other than matching DSL users to routes (not integrated with other backends) so the password is more for misconfiguration prevention than anything security related. Received Access-Request Id 170 from 127.0.0.1:39871 to 127.0.0.1:1812 length 79 User-Name = 'cocotest4' User-Password = 'Password01' NAS-IP-Address = 10.9.4.53 NAS-Port = 1812 Message-Authenticator = 0x6d25a89d069f56a85c48af5b3559227d ... (0) mancmsmrad01mc1 : EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (0) mancmsmrad01mc1 : --> cocotest4 (0) mancmsmrad01mc1 : SQL-User-Name set to 'cocotest4' rlm_sql (mancmsmrad01mc1): Reserved connection (4) (0) mancmsmrad01mc1 : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) mancmsmrad01mc1 : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'cocotest4' ORDER BY id rlm_sql (mancmsmrad01mc1): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'cocotest4' ORDER BY id' (0) mancmsmrad01mc1 : User found in radcheck table ... (0) [mancmsmrad01mc1] = ok (0) } # redundant redundant_sql = ok (0) [expiration] = noop (0) [logintime] = noop (0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (0) WARNING: pap : Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject MariaDB [radius]> select * from radcheck where username='cocotest4'; +------+-----------+--------------------+----+------------+ | id | username | attribute | op | value | +------+-----------+--------------------+----+------------+ | 1653 | cocotest4 | Cleartext-Password | == | Password01 | +------+-----------+--------------------+----+------------+ Thanks, Ian On 6 July 2016 at 12:10, Michael Schwartzkopff <ms@sys4.de> wrote:
Am Mittwoch, 6. Juli 2016, 12:06:28 schrieb Ian Hiddleston:
Hi all,
I've got my server working ok, one thing that I'm curious about is why the op value for Cleartext-Password is ':=' rather than '==' ?
As my google-fu appears to be lacking I figured I might as well ask the question.
Thanks, Ian.
goole: man 5 users bash: man 5 users
Attribute := Value Always matches as a check item, and replaces in the configuration items any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added. As a reply item, it has an identical meaning, but for the reply items, instead of the request items. Attribute == Value As a check item, it matches if the named attribute is present in the request, AND has the given value. Not allowed as a reply item.
if you use "==" the Cleartext-Password must be in the incomming RADIUS request. Very unlikely.
Mit freundlichen Grüßen,
Michael Schwartzkopff
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Schleißheimer Straße 26/MG, 80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jul 6, 2016, at 8:23 AM, Ian Hiddleston <ian.hid@gmail.com> wrote:
Ah, that makes sense! I'm asking because I was sat staring at this for a bit before figuring it out. I did read through the Operators bit on the website, I guess I failed pretty hard at getting the wider picture logic though. At the time I was trying to match a plaintext password in the request to a plaintext password in the DB, which I thought would work with '=='.
You should never "match" passwords. The simple explanation is that there are many password storage method (crypt, etc.), and many authentication methods (PAP, CHAP, MS-CHAP, etc.) You should tell the server what the "known good" password is. The server will then do the authentication itself. After all, FreeRADIUS is an authentication server. Let it do authentication, and everything will "just work". Alan DeKok.
On Wed, Jul 06, 2016 at 12:06:28PM +0100, Ian Hiddleston wrote:
I've got my server working ok, one thing that I'm curious about is why the op value for Cleartext-Password is ':=' rather than '==' ?
As my google-fu appears to be lacking I figured I might as well ask the question.
Try http://wiki.freeradius.org/config/Operators := sets the attribute (even if it is already set) = sets the attribute (only if it doesn't exist) == is a test to see if the attribute matches Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (4)
-
Alan DeKok -
Ian Hiddleston -
Matthew Newton -
Michael Schwartzkopff