Hi, I am planning on using radclient in a quick authentication script until I could fix an authentication library. I thought of using radclient in a shell script for the authentication task as it seemed fairly simple, however I wasn't able to figure out how to escape values that are set by the user; namely User-Name and User-Password. I tried checking the manual page but I haven't had any luck with that. It doesn't seem to have been mentioned, but I'm fairly sure this scenario was considered. TIA, rany
This is what I have so far, I seriously doubt it is safe: #!/bin/bash set -euf [ -z "${username:-}" ] && exit 1 RAD_SERVER="127.0.0.1:1812" RAD_PASSWD="testing123" RAD_CMD="auth" RAD_MSG="" add_msg() { RAD_MSG="${RAD_MSG}${1} = ${2}"$'\r\n' } add_msg_untrusted() { val="${2//\"/\\\"}" val="${val//$'\n'/}" val="${val//$'\r'/}" RAD_MSG="${RAD_MSG}${1} = \"${val}\""$'\r\n' } add_msg Framed-Protocol PPP add_msg Message-Authenticator 0x00 add_msg NAS-IP-Address "$( (hostname || uname -n) 2>/dev/null | sed 1q)" add_msg NAS-Port 0 add_msg Service-Type Framed-User add_msg_untrusted User-Name "${username}" if [ -n "${password:-}" ]; then add_msg_untrusted "User-Password" "${password}" fi exec radclient -q -f <(printf '%s\n' "${RAD_MSG}") \ -S <(printf '%s' "${RAD_PASSWD}") "${RAD_SERVER}" "${RAD_CMD}" On 5/6/23 16:26, rany wrote:
Hi,
I am planning on using radclient in a quick authentication script until I could fix an authentication library. I thought of using radclient in a shell script for the authentication task as it seemed fairly simple, however I wasn't able to figure out how to escape values that are set by the user; namely User-Name and User-Password.
I tried checking the manual page but I haven't had any luck with that. It doesn't seem to have been mentioned, but I'm fairly sure this scenario was considered.
TIA, rany
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 6, 2023, at 4:34 PM, rany <rany2@riseup.net> wrote:
This is what I have so far, I seriously doubt it is safe:
radclient is just a program, like any other program you run from the shell. So any values you give to radclient need to be "safe", but only from the perspective of the script which is running radclient. These safety rules are the same for any programming running from the shell. See https://unix.stackexchange.com/questions/644415/passing-arguments-to-a-comma... for some examples. i.e. the issue of "safety" isn't for radclient. It's for the shell script you use to call radclient. So escaping is the responsibility of the shell script. Once radclient puts the name / password into a RADIUS packet, it's safe. There is no more escaping needed, as the RADIUS packets can contain any data. And FreeRADIUS knows that the name / password are untrusted. So FreeRADIUS never does anything unsafe with those values. Alan DeKok.
Thank you, so I believe that radclient would just take care of this after escaping it. However I was trying to understand the rules of escaping exactly, what are they? Currently I'm removing CR and LF and escaping double quotes and backslashes as you typically would. Is there anything else I should keep in mind when it comes to putting an input in double quotes? val="${2//\\/\\\\}" # escape \ val="${val//\"/\\\"}" # escape " val="${val//$'\n'/}" # drop lf val="${val//$'\r'/}" # drop cr RAD_MSG="${RAD_MSG}${1} = \"${val}\""$'\r\n' On 5/7/23 10:40, Alan DeKok wrote:
On May 6, 2023, at 4:34 PM, rany <rany2@riseup.net> wrote:
This is what I have so far, I seriously doubt it is safe: radclient is just a program, like any other program you run from the shell. So any values you give to radclient need to be "safe", but only from the perspective of the script which is running radclient.
These safety rules are the same for any programming running from the shell. See https://unix.stackexchange.com/questions/644415/passing-arguments-to-a-comma... for some examples.
i.e. the issue of "safety" isn't for radclient. It's for the shell script you use to call radclient. So escaping is the responsibility of the shell script.
Once radclient puts the name / password into a RADIUS packet, it's safe. There is no more escaping needed, as the RADIUS packets can contain any data. And FreeRADIUS knows that the name / password are untrusted. So FreeRADIUS never does anything unsafe with those values.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 7, 2023, at 11:24 AM, rany <rany2@riseup.net> wrote:
Thank you, so I believe that radclient would just take care of this after escaping it.
radclient takes the data after the shell has done escaping or unescaping.
However I was trying to understand the rules of escaping exactly, what are they?
As I said, the shell does this. Not radclient. See the shell documentation for shell escaping rules. Alan DeKok.
I think you are misunderstanding me, radtest for example does not do any escaping prior to sending data to radclient; so this input breaks it: # radtest rany aaaa\\ 127.0.0.1:1812 0 testing123 (0) Error parsing "stdin": Expected end of line or comma I'm trying to handle inputs like these so that radclient could handle someone having a `\` in the username/password. The issue is not shell escaping. On 5/7/23 15:58, Alan DeKok wrote:
On May 7, 2023, at 11:24 AM, rany <rany2@riseup.net> wrote:
Thank you, so I believe that radclient would just take care of this after escaping it. radclient takes the data after the shell has done escaping or unescaping.
However I was trying to understand the rules of escaping exactly, what are they? As I said, the shell does this. Not radclient. See the shell documentation for shell escaping rules.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 7, 2023, at 3:12 PM, rany <rany2@riseup.net> wrote:
I think you are misunderstanding me
I am answering the questions you are asking. If you want different answers, then ask different questions.
radtest for example does not do any escaping prior to sending data to radclient; so this input breaks it:
So when you asked multiple questions about radclient, you were really asking questions about radtest?
# radtest rany aaaa\\ 127.0.0.1:1812 0 testing123 (0) Error parsing "stdin": Expected end of line or comma
I'm trying to handle inputs like these so that radclient could handle someone having a `\` in the username/password. The issue is not shell escaping.
The issue is absolutely shell escaping. radclient has no issues with a backslash in the username or password. The radtest program doesn't deal well with shell escaping, because it's intended as a simple tool for testing basic (i.e. simple) names and passwords. If you want to write your own shell script wrapper around radclient, then you have to understand the shell escaping rules, and deal with them. I really don't know how else to explain this. All of the unescaping rules you've posted are written in shell script, not "radclient script". So the problem is the shell, not radclient. Go read the shell documentation, and the unescaping rules there. Once you can pass the appropriate text to radclient, radclient will use it. This is how EVERY program on your OS works. There is nothing magical about radclient. Alan DeKok.
I'm sorry for the incorrect wording of my question. I meant to ask about what escaping rules a double quoted string in radclient follows. This is so that I could escape the double quoted string in bash shell before sending it to radclient. I ended up landing on this: val="${2}" val="${val//\\/\\\\}" val="${val//$'\n'/\\n}" val="${val//$'\r'/\\r}" val="${val//\"/\\\"}" RAD_MSG="${RAD_MSG}${1} = \"${val}\""$'\r\n' Somewhat related to this: However I was hoping that I would be able to convert it into a hex string and just send radclient something like this: User-Password = "\x72\x66\x6a" This way I wouldn't risk potentially missing some escape rule, in fact that was the first thing I tried prior to escaping. However it doesn't appear to work as I expected, as it appears that a double quoted string in radclient follows different rules than in configs; which is what prompted my question. On 5/7/23 16:27, Alan DeKok wrote:
On May 7, 2023, at 3:12 PM, rany <rany2@riseup.net> wrote:
I think you are misunderstanding me I am answering the questions you are asking. If you want different answers, then ask different questions.
radtest for example does not do any escaping prior to sending data to radclient; so this input breaks it: So when you asked multiple questions about radclient, you were really asking questions about radtest?
# radtest rany aaaa\\ 127.0.0.1:1812 0 testing123 (0) Error parsing "stdin": Expected end of line or comma
I'm trying to handle inputs like these so that radclient could handle someone having a `\` in the username/password. The issue is not shell escaping. The issue is absolutely shell escaping. radclient has no issues with a backslash in the username or password.
The radtest program doesn't deal well with shell escaping, because it's intended as a simple tool for testing basic (i.e. simple) names and passwords.
If you want to write your own shell script wrapper around radclient, then you have to understand the shell escaping rules, and deal with them. I really don't know how else to explain this. All of the unescaping rules you've posted are written in shell script, not "radclient script". So the problem is the shell, not radclient.
Go read the shell documentation, and the unescaping rules there. Once you can pass the appropriate text to radclient, radclient will use it. This is how EVERY program on your OS works. There is nothing magical about radclient.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 7, 2023, at 4:00 PM, rany <rany2@riseup.net> wrote:
I'm sorry for the incorrect wording of my question.
I meant to ask about what escaping rules a double quoted string in radclient follows.
The strings which radclient reads are single-quoted strings: 'foo', or double-quoted strings: "foo" The normal string quoting rules apply for each type of string. Alan DeKok.
Thank you, is there any chance that hex escapes could be made to work with radclient? This is what tipped me off and made me think that the normal rules do not apply here. On 5/7/23 18:29, Alan DeKok wrote:
On May 7, 2023, at 4:00 PM, rany <rany2@riseup.net> wrote:
I'm sorry for the incorrect wording of my question.
I meant to ask about what escaping rules a double quoted string in radclient follows. The strings which radclient reads are single-quoted strings: 'foo', or double-quoted strings: "foo"
The normal string quoting rules apply for each type of string.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 7, 2023, at 6:45 PM, rany <rany2@riseup.net> wrote:
Thank you, is there any chance that hex escapes could be made to work with radclient?
This is what tipped me off and made me think that the normal rules do not apply here.
Hex escapes work. Try using hex escapes in a simple file that you create with a text editor. They will work. The issue is that you're using escapes in a double-quoted string, and the shell is parsing the escapes before passing them to radclient. Alan DeKok.
I tried with this file named "test.txt": Framed-Protocol = PPP Message-Authenticator = 0x00 NAS-IP-Address = redacted NAS-Port = 0 Service-Type = Framed-User User-Name = "\x72\x61\x6e\x79" #User-Name = "rany" User-Password = "mypassword" Hex escaped variant does not work, I ran it like so: `radclient -f test.txt 127.0.0.1 auth testing123` On 5/7/23 21:38, Alan DeKok wrote:
On May 7, 2023, at 6:45 PM, rany <rany2@riseup.net> wrote:
Thank you, is there any chance that hex escapes could be made to work with radclient?
This is what tipped me off and made me think that the normal rules do not apply here. Hex escapes work. Try using hex escapes in a simple file that you create with a text editor. They will work.
The issue is that you're using escapes in a double-quoted string, and the shell is parsing the escapes before passing them to radclient.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 7, 2023, at 8:45 PM, rany <rany2@riseup.net> wrote:
I tried with this file named "test.txt":
Framed-Protocol = PPP Message-Authenticator = 0x00 NAS-IP-Address = redacted NAS-Port = 0 Service-Type = Framed-User User-Name = "\x72\x61\x6e\x79" #User-Name = "rany" User-Password = "mypassword"
Hex escaped variant does not work, I ran it like so: `radclient -f test.txt 127.0.0.1 auth testing123`
Define "does not work". i.e. you have logs of what the server receives. Post them. Don't give vague english descriptions. Alan DeKok.
On 5/7/23 21:47, Alan DeKok wrote:
On May 7, 2023, at 8:45 PM, rany <rany2@riseup.net> wrote:
I tried with this file named "test.txt":
Framed-Protocol = PPP Message-Authenticator = 0x00 NAS-IP-Address = redacted NAS-Port = 0 Service-Type = Framed-User User-Name = "\x72\x61\x6e\x79" #User-Name = "rany" User-Password = "mypassword"
Hex escaped variant does not work, I ran it like so: `radclient -f test.txt 127.0.0.1 auth testing123` Define "does not work".
i.e. you have logs of what the server receives. Post them. Don't give vague english descriptions.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"does not work" = I get an "Access-Reject" as a response from the server. Hex escaped variant: # radclient -f test 127.0.0.1 auth testing123 Sent Access-Request Id 100 from 0.0.0.0:35361 to 127.0.0.1:1812 length 98 Received Access-Reject Id 100 from 127.0.0.1:1812 to 127.0.0.1:35361 length 20 (0) test: Expected Access-Accept got Access-Reject Non-hex escaped: # radclient -f test 127.0.0.1 auth testing123 Sent Access-Request Id 148 from 0.0.0.0:42483 to 127.0.0.1:1812 length 86 Received Access-Accept Id 148 from 127.0.0.1:1812 to 127.0.0.1:42483 length 20
On May 7, 2023, at 8:48 PM, rany <rany2@riseup.net> wrote:
"does not work" = I get an "Access-Reject" as a response from the server.
All of the documentation tells you how to run the server in debug mode. If you're not going to post that, there isn't much I can do.
Hex escaped variant:
# radclient -f test 127.0.0.1 auth testing123 Sent Access-Request Id 100 from 0.0.0.0:35361 to 127.0.0.1:1812 length 98 Received Access-Reject Id 100 from 127.0.0.1:1812 to 127.0.0.1:35361 length 20 (0) test: Expected Access-Accept got Access-Reject
There's also a "-x" debug mode for radclient, which shows you exactly what it's sending to the server. You are working very hard to ignore all of the information which tells you what's going on, I don't understand why. Alan DeKok.
On 5/7/23 21:52, Alan DeKok wrote:
All of the documentation tells you how to run the server in debug mode. If you're not going to post that, there isn't much I can do.
Sorry, I just sent you the part of the debug log that I thought you need. If you need the full log file I am willing to share.
On 5/7/23 21:56, rany wrote:
On 5/7/23 21:52, Alan DeKok wrote:
All of the documentation tells you how to run the server in debug mode. If you're not going to post that, there isn't much I can do.
Sorry, I just sent you the part of the debug log that I thought you need. If you need the full log file I am willing to share.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I have attached the full log in the off-chance you need it as I'm about to logoff, the file used with radclient is the following:
Framed-Protocol = PPP Message-Authenticator = 0x00 NAS-IP-Address = 10.146.180.1 NAS-Port = 0 Service-Type = Framed-User User-Name = "ramy" #User-Name = "\x72\x61\x6d\x79\x0a" User-Password = "df0I1t1cgHgR7TeT23r1djffy6dIIfo" The first "Access-Request" was the normal/unhex escaped variant the second "Access-Request" is the hex escaped variant. Apologies if I seemed uncooperative and thanks for the assistance.
On May 7, 2023, at 9:08 PM, rany <rany2@riseup.net> wrote:
I have attached the full log in the off-chance you need it as I'm about to logoff, the file used with radclient is the following:
Framed-Protocol = PPP Message-Authenticator = 0x00 NAS-IP-Address = 10.146.180.1 NAS-Port = 0 Service-Type = Framed-User User-Name = "ramy" #User-Name = "\x72\x61\x6d\x79\x0a" User-Password = "df0I1t1cgHgR7TeT23r1djffy6dIIfo"
The first "Access-Request" was the normal/unhex escaped variant the second "Access-Request" is the hex escaped variant.
I'm not sure where you see the documentation saying that it's possible to escape hex characters in radclient via things like "\xAB". It's not supposed to work, and it's not documented as working. Alan DeKok.
On 5/8/23 19:31, Alan DeKok wrote:
I'm not sure where you see the documentation saying that it's possible to escape hex characters in radclient via things like "\xAB". It's not supposed to work, and it's not documented as working.
I didn't find any documentation mentioning escape sequences supported by radclient, which is what prompted this thread. I thought the rules used in the config would have applied there but I guess it was never supported nor intended to be supported.
This is what the server received with -X set for the hex variant: (2) Received Access-Request Id 31 from 127.0.0.1:50245 to 127.0.0.1:1812 length 98 (2) Framed-Protocol = PPP (2) Message-Authenticator = 0x3e181e9c7e2f53a2c3433b640a968db7 (2) NAS-IP-Address = 10.146.80.1 (2) NAS-Port = 0 (2) Service-Type = Framed-User (2) User-Name = "\\x72\\x61\\x6e\\x79" (2) User-Password = "mypasssword" On 5/7/23 21:48, rany wrote:
On 5/7/23 21:47, Alan DeKok wrote:
On May 7, 2023, at 8:45 PM, rany <rany2@riseup.net> wrote:
I tried with this file named "test.txt":
Framed-Protocol = PPP Message-Authenticator = 0x00 NAS-IP-Address = redacted NAS-Port = 0 Service-Type = Framed-User User-Name = "\x72\x61\x6e\x79" #User-Name = "rany" User-Password = "mypassword"
Hex escaped variant does not work, I ran it like so: `radclient -f test.txt 127.0.0.1 auth testing123` Define "does not work".
i.e. you have logs of what the server receives. Post them. Don't give vague english descriptions.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"does not work" = I get an "Access-Reject" as a response from the server.
Hex escaped variant:
# radclient -f test 127.0.0.1 auth testing123 Sent Access-Request Id 100 from 0.0.0.0:35361 to 127.0.0.1:1812 length 98 Received Access-Reject Id 100 from 127.0.0.1:1812 to 127.0.0.1:35361 length 20 (0) test: Expected Access-Accept got Access-Reject
Non-hex escaped:
# radclient -f test 127.0.0.1 auth testing123 Sent Access-Request Id 148 from 0.0.0.0:42483 to 127.0.0.1:1812 length 86 Received Access-Accept Id 148 from 127.0.0.1:1812 to 127.0.0.1:42483 length 20
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
rany