Allow same user to authenticate with different passwords
Hi All, We are trying to allow users to authenticate with different passwords using an SQL database and freeradius version 3.0.17 (hotel scenario, where unrelated people can have the same family name). I've already seen these two links: http://freeradius.1045715.n5.nabble.com/Help-FreeRadius-Users-with-multiple-... http://lists.freeradius.org/pipermail/freeradius-users/2009-February/035570.... and I've had a look at the queries.conf file for mysql. I found the 'authorize_check_query', but that query just resolves to present all the fields for the username, and 'authorize_check_query' is not used elsewhere to use those results to retrieve the password... . So I am still at a loss of how I can change freeradius to accept a different type of radcheck table with multiple fields for the password per user, and where I would change the logic of how it accepts any of these passwords. Addiionally it should use Simultaneous-Use checks per username+password combination rather than per username. But that's of course something we can change within the sql server events and triggers. Thanks, Kind Regards, Taymour
We are trying to allow users to authenticate with different passwords using an SQL database and freeradius version 3.0.17 (hotel scenario, where unrelated people can have the same family name).
Perhaps I'm being strange here - but a single username with multiple passwords sounds like a security hole to me - in that if johnsmith is logging in twice because there are two "John Smith" users - how do you tell them apart in case of (for example) law enforcement request? Surely it's easier/better/simpler just to give everyone a unique login name? Perhaps in your hotel case use room number plus surname? So 317smith & 226smith ******************************************************************************************************************** This message may contain confidential information. If you are not the intended recipient please inform the sender that you have received the message in error before deleting it. Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation. NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services. For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail
Van: Freeradius-Users <freeradius-users-bounces+rhouben=systemec.nl@lists.freeradius.org> namens WAGHORN, Jason (NHS BORDERS) via Freeradius-Users <freeradius-users@lists.freeradius.org> Verzonden: dinsdag 10 december 2019 08:43 Aan: FreeRadius users mailing list CC: WAGHORN, Jason (NHS BORDERS) Onderwerp: RE: Allow same user to authenticate with different passwords
We are trying to allow users to authenticate with different passwords using an SQL database and freeradius version 3.0.17 (hotel scenario, where unrelated people can have the same family name).
Perhaps I'm being strange here - but a single username with multiple passwords sounds like a security hole to me - in that if johnsmith is logging in twice because there are two "John Smith" users - how do you tell them apart in case of (for example) law enforcement request?
Surely it's easier/better/simpler just to give everyone a unique login name? Perhaps in your hotel case use room number plus surname? So 317smith & 226smith
From an infosec point of view this is a *terrible* idea, because it would allow a stalker or PI who knows the name of your guest to potentially figure out what room their target is in by process of elimination.
Use random names and passwords instead. --Rens.
Thanks for the feedback! The manager has very specific requirements about username and password convention... We have switched to using the name as password and room number as username, since the room number is guaranteed to be unique. As an aside, I'm very curious how other hotels using a captive portal do their authentication. On 10/12/2019, Rens Houben via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Van: Freeradius-Users <freeradius-users-bounces+rhouben=systemec.nl@lists.freeradius.org> namens WAGHORN, Jason (NHS BORDERS) via Freeradius-Users <freeradius-users@lists.freeradius.org> Verzonden: dinsdag 10 december 2019 08:43 Aan: FreeRadius users mailing list CC: WAGHORN, Jason (NHS BORDERS) Onderwerp: RE: Allow same user to authenticate with different passwords
We are trying to allow users to authenticate with different passwords using an SQL database and freeradius version 3.0.17 (hotel scenario, where unrelated people can have the same family name).
Perhaps I'm being strange here - but a single username with multiple passwords sounds like a security hole to me - in that if johnsmith is logging in twice because there are two "John Smith" users - how do you tell them apart in case of (for example) law enforcement request?
Surely it's easier/better/simpler just to give everyone a unique login name? Perhaps in your hotel case use room number plus surname? So 317smith & 226smith
From an infosec point of view this is a *terrible* idea, because it would allow a stalker or PI who knows the name of your guest to potentially figure out what room their target is in by process of elimination.
Use random names and passwords instead.
--Rens. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
As an aside, I'm very curious how other hotels using a captive portal do their authentication.
Pretty much every one I've ever stayed in has generated a unique random username/password combination valid for the duration of the stay... often the password remains blank though (or is fixed - so everyone on the staff knows the password, but only the user knows the username assigned to them) ******************************************************************************************************************** This message may contain confidential information. If you are not the intended recipient please inform the sender that you have received the message in error before deleting it. Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation. NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services. For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail
participants (3)
-
Rens Houben -
Taymour Gabr -
WAGHORN, Jason (NHS BORDERS)