Local User with multiple passwords (or RegEX passwords) possible?
Hi, I am trying to set up something very basic (at least from my point of view): I would like to have a User with multiple passwords (two actually). How would I do this? I tried the following: *alice Auth-Type=Local, Cleartext-Password := "test1" alice Auth-Type=Local, Cleartext-Password := "test2"* which (of course) did not work. Then *alice Auth-Type=Local, Cleartext-Password := "test1" Fall-Through = Yes alice Auth-Type=Local, Cleartext-Password := "test2"* which (of course) did not work, too. Then I tried some regex, from which, the following do not work: *alice Auth-Type=Local, User-Password =~ "[*]*" alice Auth-Type=Local, User-Password =~ /*/i alice Auth-Type=Local, User-Password =~ "(test1)**" alice Auth-Type=Local, User-Password =~ "[.....]*" ...* How would I make an entry to users to have *alice *log in with "*test1*" OR "*test2*" as password? Best regards
On 07/07/11 09:51, Equin Nix wrote:
Hi,
I am trying to set up something very basic (at least from my point of view): I would like to have a User with multiple passwords (two actually). How would I do this? I tried the following:
/alice Auth-Type=Local, Cleartext-Password := "test1" alice Auth-Type=Local, Cleartext-Password := "test2"/
Do not set Auth-Type. It's almost always wrong, and is certainly wrong in this case. It might be possible to have >1 password; but it will probably only work for PAP requests, unless you play carefully with module failover. It also probably won't work in the "users" file; this is because the "User-Password" attribute is handled specially here, as a compatibility synonym for Cleartext-Password. You could try something like this - define a second password attribute in raddb/dictionary: ATTRIBUTE Cleartext-Password2 3002 string ...then set both in the "users" file: alice Cleartext-Password := "foo", Cleartext-Password2 := "bar" ...then use unlang to perform the comparisons in sites-enabled/default: authorize { ... # read the passwords from "files" files # compare them if ((User-Password != control:Cleartext-Password) && \ (User-Password != control:Cleartext-Password2)) { reject } # probably need to set Auth-Type := Accept here update control { Auth-Type := Accept } } If you want to do this with requests that aren't PAP e.g. CHAP, MSCHAP/PEAP etc. then it will be much harder.
Hi Phil, thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to be far far from mine, but I think I get the point. I tried to add the following to *sites-enabled/default* (int authorize section) (Its not a full copy of your text, I wanted to start step by step): [...] # # Read the 'users' file files { # compare them if (User-Password != control:Cleartext-Password) { reject } # probably need to set Auth-Type := Accept here update control { Auth-Type := Accept } } [...] and freeradius won't start (even if I remove the update control section). This is the error: [...] /etc/freeradius/sites-enabled/default[154]: Subsection of module instance call not allowed /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section. Any idea what might cause the trouble? Line 154 is the "if (User-Password...." line. BTW: It is not possible with RegEx? Best regards from Germany 2011/7/7 Phil Mayers <p.mayers@imperial.ac.uk>
On 07/07/11 09:51, Equin Nix wrote:
Hi,
I am trying to set up something very basic (at least from my point of view): I would like to have a User with multiple passwords (two actually). How would I do this? I tried the following:
/alice Auth-Type=Local, Cleartext-Password := "test1" alice Auth-Type=Local, Cleartext-Password := "test2"/
Do not set Auth-Type. It's almost always wrong, and is certainly wrong in this case.
It might be possible to have >1 password; but it will probably only work for PAP requests, unless you play carefully with module failover.
It also probably won't work in the "users" file; this is because the "User-Password" attribute is handled specially here, as a compatibility synonym for Cleartext-Password.
You could try something like this - define a second password attribute in raddb/dictionary:
ATTRIBUTE Cleartext-Password2 3002 string
...then set both in the "users" file:
alice Cleartext-Password := "foo", Cleartext-Password2 := "bar"
...then use unlang to perform the comparisons in sites-enabled/default:
authorize {
... # read the passwords from "files" files # compare them if ((User-Password != control:Cleartext-Password) && \ (User-Password != control:Cleartext-Password2)) { reject }
# probably need to set Auth-Type := Accept here update control { Auth-Type := Accept } }
If you want to do this with requests that aren't PAP e.g. CHAP, MSCHAP/PEAP etc. then it will be much harder. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
You can't put unlang in the configuration block of the files module... Unlang can only exist in policy.conf and in virtual server files. -Arran On Jul 7, 2011, at 2:18 PM, Equin Nix wrote:
Hi Phil,
thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to be far far from mine, but I think I get the point.
I tried to add the following to sites-enabled/default (int authorize section) (Its not a full copy of your text, I wanted to start step by step):
[...] # # Read the 'users' file files { # compare them if (User-Password != control:Cleartext-Password) { reject }
# probably need to set Auth-Type := Accept here update control { Auth-Type := Accept } } [...]
and freeradius won't start (even if I remove the update control section). This is the error: [...] /etc/freeradius/sites-enabled/default[154]: Subsection of module instance call not allowed /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.
Any idea what might cause the trouble? Line 154 is the "if (User-Password...." line.
BTW: It is not possible with RegEx?
Best regards from Germany
2011/7/7 Phil Mayers <p.mayers@imperial.ac.uk> On 07/07/11 09:51, Equin Nix wrote: Hi,
I am trying to set up something very basic (at least from my point of view): I would like to have a User with multiple passwords (two actually). How would I do this? I tried the following:
/alice Auth-Type=Local, Cleartext-Password := "test1" alice Auth-Type=Local, Cleartext-Password := "test2"/
Do not set Auth-Type. It's almost always wrong, and is certainly wrong in this case.
It might be possible to have >1 password; but it will probably only work for PAP requests, unless you play carefully with module failover.
It also probably won't work in the "users" file; this is because the "User-Password" attribute is handled specially here, as a compatibility synonym for Cleartext-Password.
You could try something like this - define a second password attribute in raddb/dictionary:
ATTRIBUTE Cleartext-Password2 3002 string
...then set both in the "users" file:
alice Cleartext-Password := "foo", Cleartext-Password2 := "bar"
...then use unlang to perform the comparisons in sites-enabled/default:
authorize {
... # read the passwords from "files" files # compare them if ((User-Password != control:Cleartext-Password) && \ (User-Password != control:Cleartext-Password2)) { reject }
# probably need to set Auth-Type := Accept here update control { Auth-Type := Accept } }
If you want to do this with requests that aren't PAP e.g. CHAP, MSCHAP/PEAP etc. then it will be much harder. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the complexity of Diameter
On Thu, Jul 7, 2011 at 7:18 PM, Equin Nix <equin.nix@googlemail.com> wrote:
Hi Phil,
thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to be far far from mine, but I think I get the point.
I tried to add the following to sites-enabled/default (int authorize section) (Its not a full copy of your text, I wanted to start step by step):
[...] # # Read the 'users' file files { # compare them if (User-Password != control:Cleartext-Password) { reject }
# probably need to set Auth-Type := Accept here update control { Auth-Type := Accept } } [...]
and freeradius won't start (even if I remove the update control section). This is the error: [...] /etc/freeradius/sites-enabled/default[154]: Subsection of module instance call not allowed
Don't put the comparison as a subsection of module instance. i.e. do NOT use files { <your stuff here> } instead use files <your stuff here> also see "man unlang". Among others, it explains how to use attributes, variables, and regex. -- Fajar
Sorry, make that: module calls cannot contain unlang, only rcode overrides. You want:
# # Read the 'users' file files # compare them if (User-Password != control:Cleartext-Password) { reject }
# probably need to set Auth-Type := Accept here update control { Auth-Type := Accept }
On Jul 7, 2011, at 2:18 PM, Equin Nix wrote:
Hi Phil,
thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to be far far from mine, but I think I get the point.
I tried to add the following to sites-enabled/default (int authorize section) (Its not a full copy of your text, I wanted to start step by step):
[...] # # Read the 'users' file files { # compare them if (User-Password != control:Cleartext-Password) { reject }
# probably need to set Auth-Type := Accept here update control { Auth-Type := Accept } } [...]
and freeradius won't start (even if I remove the update control section). This is the error: [...] /etc/freeradius/sites-enabled/default[154]: Subsection of module instance call not allowed /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.
Any idea what might cause the trouble? Line 154 is the "if (User-Password...." line.
BTW: It is not possible with RegEx?
Best regards from Germany
2011/7/7 Phil Mayers <p.mayers@imperial.ac.uk> On 07/07/11 09:51, Equin Nix wrote: Hi,
I am trying to set up something very basic (at least from my point of view): I would like to have a User with multiple passwords (two actually). How would I do this? I tried the following:
/alice Auth-Type=Local, Cleartext-Password := "test1" alice Auth-Type=Local, Cleartext-Password := "test2"/
Do not set Auth-Type. It's almost always wrong, and is certainly wrong in this case.
It might be possible to have >1 password; but it will probably only work for PAP requests, unless you play carefully with module failover.
It also probably won't work in the "users" file; this is because the "User-Password" attribute is handled specially here, as a compatibility synonym for Cleartext-Password.
You could try something like this - define a second password attribute in raddb/dictionary:
ATTRIBUTE Cleartext-Password2 3002 string
...then set both in the "users" file:
alice Cleartext-Password := "foo", Cleartext-Password2 := "bar"
...then use unlang to perform the comparisons in sites-enabled/default:
authorize {
... # read the passwords from "files" files # compare them if ((User-Password != control:Cleartext-Password) && \ (User-Password != control:Cleartext-Password2)) { reject }
# probably need to set Auth-Type := Accept here update control { Auth-Type := Accept } }
If you want to do this with requests that aren't PAP e.g. CHAP, MSCHAP/PEAP etc. then it will be much harder. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the complexity of Diameter
On 07/07/11 13:18, Equin Nix wrote:
Hi Phil,
thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to be far far from mine, but I think I get the point.
I tried to add the following to /sites-enabled/default/ (int authorize section) (Its not a full copy of your text, I wanted to start step by step):
[...] # # Read the 'users' file files { # compare them
No, that's wrong. As per my original email, it should be: authorize { files if (...) { } You've got: authorize { files { ... } } ...which is wrong.
Did my last mail made it? --------- Last Mail: --------- Phil, you got it working! All of what you wrote was right: - added Cleartext-Password2 to /usr/share/freeradius/dictionary.freeradius.internal - created user file like this: user Cleartext-Password := "1", Cleartext-Password2 += "2" - updated sites-enabled/default to look like this (*authorize *section) [..] # # Read the 'users' file files { } if (("%{User-Password}" != "%{control:Cleartext-Password}") && ("%{User-Password}" != "%{control:Cleartext-Password2}")) { update reply { Reply-Message = "I suck at FreeRadiusing!" } reject } else { update control { Auth-Type := Accept } } [..] If I can buy you a beer or something (thinking of https://secure.wikimedia.org/wikipedia/en/wiki/Beerware or https://secure.wikimedia.org/wikipedia/en/wiki/Postcardware ) just email me :) Best Regards 2011/7/7 Phil Mayers <p.mayers@imperial.ac.uk>
On 07/07/11 13:18, Equin Nix wrote:
Hi Phil,
thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to be far far from mine, but I think I get the point.
I tried to add the following to /sites-enabled/default/ (int authorize section) (Its not a full copy of your text, I wanted to start step by step):
[...] # # Read the 'users' file files { # compare them
No, that's wrong. As per my original email, it should be:
authorize { files if (...) { }
You've got:
authorize { files { ... } }
...which is wrong.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Phil, you got it working! All of what you wrote was right: - added Cleartext-Password2 to /usr/share/freeradius/dictionary.freeradius.internal - created user file like this: user Cleartext-Password := "1", Cleartext-Password2 += "2" - updated sites-enabled/default to look like this (*authorize *section) [..] # # Read the 'users' file files { } if (("%{User-Password}" != "%{control:Cleartext-Password}") && ("%{User-Password}" != "%{control:Cleartext-Password2}")) { update reply { Reply-Message = "I suck at FreeRadiusing!" } reject } else { update control { Auth-Type := Accept } } [..] If I can buy you a beer or something (thinking of https://secure.wikimedia.org/wikipedia/en/wiki/Beerware or https://secure.wikimedia.org/wikipedia/en/wiki/Postcardware) just email me :) Best Regards 2011/7/7 Equin Nix <equin.nix@googlemail.com>
Hi Phil,
thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to be far far from mine, but I think I get the point.
I tried to add the following to *sites-enabled/default* (int authorize section) (Its not a full copy of your text, I wanted to start step by step):
[...] # # Read the 'users' file files { # compare them if (User-Password != control:Cleartext-Password) {
reject }
# probably need to set Auth-Type := Accept here update control { Auth-Type := Accept } } [...]
and freeradius won't start (even if I remove the update control section). This is the error: [...] /etc/freeradius/sites-enabled/default[154]: Subsection of module instance call not allowed /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.
Any idea what might cause the trouble? Line 154 is the "if (User-Password...." line.
BTW: It is not possible with RegEx?
Best regards from Germany
2011/7/7 Phil Mayers <p.mayers@imperial.ac.uk>
On 07/07/11 09:51, Equin Nix wrote:
Hi,
I am trying to set up something very basic (at least from my point of view): I would like to have a User with multiple passwords (two actually). How would I do this? I tried the following:
/alice Auth-Type=Local, Cleartext-Password := "test1" alice Auth-Type=Local, Cleartext-Password := "test2"/
Do not set Auth-Type. It's almost always wrong, and is certainly wrong in this case.
It might be possible to have >1 password; but it will probably only work for PAP requests, unless you play carefully with module failover.
It also probably won't work in the "users" file; this is because the "User-Password" attribute is handled specially here, as a compatibility synonym for Cleartext-Password.
You could try something like this - define a second password attribute in raddb/dictionary:
ATTRIBUTE Cleartext-Password2 3002 string
...then set both in the "users" file:
alice Cleartext-Password := "foo", Cleartext-Password2 := "bar"
...then use unlang to perform the comparisons in sites-enabled/default:
authorize {
... # read the passwords from "files" files # compare them if ((User-Password != control:Cleartext-Password) && \ (User-Password != control:Cleartext-Password2)) { reject }
# probably need to set Auth-Type := Accept here update control { Auth-Type := Accept } }
If you want to do this with requests that aren't PAP e.g. CHAP, MSCHAP/PEAP etc. then it will be much harder. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
participants (4)
-
Arran Cudbard-Bell -
Equin Nix -
Fajar A. Nugraha -
Phil Mayers