Authentication Failure and User Attributes
I have a little problem that I would like to fix: My setup right now works great, however there is only little problem, even if the user is rejected (i.e. incorrect password) all the user attributes are still returned. I think this is a slight security risk, since all you need to know is the username to retrieve information about the network... I am trying to stop this but placing an entry at the top of the users file, but I can not figure out what variable to test for? Any ideas? Where would I look? Thanks Bob
Bob Brandt wrote:
My setup right now works great, however there is only little problem, even if the user is rejected (i.e. incorrect password) all the user attributes are still returned. I think this is a slight security risk, since all you need to know is the username to retrieve information about the network...
That information goes to the NAS. It doesn't go to the end user. There is no security issue. Alan DeKok.
Bob Brandt <bob@brandt.ie> writes:
I have a little problem that I would like to fix:
My setup right now works great, however there is only little problem, even if the user is rejected (i.e. incorrect password) all the user attributes are still returned. I think this is a slight security risk, since all you need to know is the username to retrieve information about the network...
I am trying to stop this but placing an entry at the top of the users file, but I can not figure out what variable to test for?
Any ideas? Where would I look?
raddb/attrs.access_reject Bjørn
participants (3)
-
Alan DeKok -
Bjørn Mork -
Bob Brandt