How to return Reply-Message when user submitted wrong password
Hi, Is there a way to reply with a intuitive Reply-Message (for e.g., 'Wrong Password') when the user tries to authenticate with a wrong password? My current configuration is using rlm_pap and rlm_sql for authorization and authentication. FreeRADIUS version is 1.1.7. Thanks in advance! -- Best Regards, SC
Lee Sing Chyun wrote:
Hi,
Is there a way to reply with a intuitive Reply-Message (for e.g., 'Wrong Password') when the user tries to authenticate with a wrong password?
My current configuration is using rlm_pap and rlm_sql for authorization and authentication. FreeRADIUS version is 1.1.7.
Thanks in advance!
-- Best Regards, SC
Be careful with this, do you REALLY want to tell a possible attacker what they are doing wrong? Also many clients will completely ignore the reply message anyway... HTH Patric -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. ---------------------------------------------------------------------- Get a free email address with REAL anti-spam protection. http://www.bluebottle.com/tag/1
On Nov 9, 2007 2:11 PM, Patric <patrict@bluebottle.com> wrote:
Lee Sing Chyun wrote:
Hi,
Is there a way to reply with a intuitive Reply-Message (for e.g., 'Wrong Password') when the user tries to authenticate with a wrong password?
My current configuration is using rlm_pap and rlm_sql for authorization and authentication. FreeRADIUS version is 1.1.7.
Thanks in advance!
-- Best Regards, SC
Be careful with this, do you REALLY want to tell a possible attacker what they are doing wrong? Also many clients will completely ignore the reply message anyway...
HTH Patric <http://www.freeradius.org/list/users.html>
Hi Patric, Thanks for your timely warning! :-) The reason I wanted to set the Reply-Message with intuitive messages is because I have modified sql.conf to log the Reply-Message into radpostauth table: postauth_query = "INSERT into ${postauth_table} (user, pass, reply, date, reason) values ('%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW(), '%{reply:Reply-Message}')" The above worked fine for these scenarios: - Failed Simultaneous-Use checks : Reply-Message was "You are already logged in - access denied". - Failed Login-Time checks: Reply-Message was "You are calling outside your allowed timespan" - Failed Expiration checks: Reply-Message was "Password Has Expired" But in the scenario of wrong passwords, I notice the Reply-Message was empty. Hence, I'm looking for ways to log down "wrong passwords" reasons into the radpostauth table. -- Best Regards, SC
hi, nasty. but you could do it....eg some in this pseudo code method - just to start you off... perl module sql = your SQL table $password = select password from sql where username = $RADREQUEST{%username} if ($RADREQUEST{%User-Password} != $password) { $RADREPLY = "Your password is incorrect"; return MODULE_UPDATED; } of course, theres a few dozen bits of perl MySQL missing and a couple of check items gone...and you'd probably have to be careful where/when you run this. but it should do the job alan
On Nov 9, 2007 4:59 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
hi,
nasty. but you could do it....eg some in this pseudo code method - just to start you off... perl module
sql = your SQL table
$password = select password from sql where username = $RADREQUEST{%username}
if ($RADREQUEST{%User-Password} != $password) { $RADREPLY = "Your password is incorrect"; return MODULE_UPDATED; }
of course, theres a few dozen bits of perl MySQL missing and a couple of check items gone...and you'd probably have to be careful where/when you run this. but it should do the job
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan, thank you very much for the pseudo codes. I'm quite new to FreeRADIUS, so I need to check with you: are these for writing a new module? -- Best Regards, Lee Sing Chyun
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Lee Sing Chyun -
Patric