Re: special characters in passwords + FR + ldap
Hi,
From: "Natalia Escalera" <nescalera@gmail.com>
I was wondering if someone has any idea of how to solve the problem of special characters(e.g. $) in FreeRadius 1.1.0.
Have you tried FreeRADIUS 1.1. which was released last week? According to the ChangeLog the bug #261 has been fixed and it was the "attributes retreived from ldap are truncated at first space" bug, which sounded very similar to our problem: http://bugs.freeradius.org/show_bug.cgi?id=261 -- Tero Turtiainen Technology Services Capgemini tero.turtiainen@capgemini.com This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
Hi, We will try the new version and see if the problem was fixed. Thanks a lot. Natalia. On 3/27/06, Turtiainen, Tero <tero.turtiainen@capgemini.com> wrote:
Hi,
From: "Natalia Escalera" <nescalera@gmail.com>
I was wondering if someone has any idea of how to solve the problem of special characters(e.g. $) in FreeRadius 1.1.0.
Have you tried FreeRADIUS 1.1. which was released last week?
According to the ChangeLog the bug #261 has been fixed and it was the "attributes retreived from ldap are truncated at first space" bug, which sounded very similar to our problem: http://bugs.freeradius.org/show_bug.cgi?id=261 -- Tero Turtiainen Technology Services Capgemini tero.turtiainen@capgemini.com
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, We tried FR 1.1.1 and we are still having problems with passwords containing special characters like '$' for the LDAP authentication. In FR 1.1.0 the '$' was replaced by a character such as '%24'. For the new version, the symbol '$' is deleted as well as the character that is next to it. Here is an example of the executed command and its output: Command: /usr/local/bin/radtest username "test$2006" x.x.x.x 1 test123 Output: Sending Access-Request of id 215 to x.x.x.x port 1812 User-Name = "username" User-Password = "test006" #<----- No dollar sign, no number 2 NAS-IP-Address = 255.255.255.255 NAS-Port = 1 rad_recv: Access-Reject packet from host x.x.x.x:1812, id=215, length=20 Can this situation be considered please? Thank you in advance, Natalia. On 3/27/06, Natalia Escalera <nescalera@gmail.com> wrote:
Hi,
We will try the new version and see if the problem was fixed.
Thanks a lot. Natalia.
On 3/27/06, Turtiainen, Tero <tero.turtiainen@capgemini.com> wrote:
Hi,
From: "Natalia Escalera" <nescalera@gmail.com>
I was wondering if someone has any idea of how to solve the problem of special characters(e.g. $) in FreeRadius 1.1.0.
Have you tried FreeRADIUS 1.1. which was released last week?
According to the ChangeLog the bug #261 has been fixed and it was the "attributes retreived from ldap are truncated at first space" bug, which sounded very similar to our problem: http://bugs.freeradius.org/show_bug.cgi?id=261 -- Tero Turtiainen Technology Services Capgemini tero.turtiainen@capgemini.com
This message contains information that may be privileged or confidential
and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
- List info/subscribe/unsubscribe? See
I've tracked down why some of my users aren't authenticating... Appartenly somewhere (rlm_sql ?) the username is being changed possible in an anti-injection function, I don't know. Can someone shed some light on this? For instance, in the debug snip below, the username 'dcox&dcox' is changed to 'dcox=26dcox' which of course fails the sql select statement. radius_xlat: 'dcox&dcox' rlm_sql (sql): sql_set_user escaped user --> 'dcox&dcox' radius_xlat: 'select id, username, attribute, value, op from radcheck where username = 'dcox=26dcox' order by id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): User dcox&dcox not found in radcheck
"Duane Cox" <duanec@mail.illicom.net> wrote:
Appartenly somewhere (rlm_sql ?) the username is being changed possible in an anti-injection function, I don't know. Can someone shed some light on this?
See sql.conf, look for safe characters. Edit at your own risk. Alan DeKok.
Duane Cox wrote:
Appartenly somewhere (rlm_sql ?) the username is being changed possible in an anti-injection function, I don't know. Can someone shed some light on this?
For instance, in the debug snip below, the username 'dcox&dcox' is changed to 'dcox=26dcox' which of course fails the sql select statement.
It's not a bug, it's a feature. It prevents SQL injection attacks on your backend database. http://www.google.com/search?q=sql+injection+attack As Alan said, you can change the "safe-characters" option in sql.conf, but only if you know exactly what you are doing. -- Nicolas Baradakis
"Natalia Escalera" <nescalera@gmail.com> wrote:
Command: /usr/local/bin/radtest username "test$2006" x.x.x.x 1 test123 Output: Sending Access-Request of id 215 to x.x.x.x port 1812 User-Name = "username" User-Password = "test006" #<----- No dollar sign, no number 2
$2 is a Unix shell variable. This has nothing to do with FreeRADIUS. /usr/local/bin/radtest username 'test$2006' x.x.x.x 1 test123 will work. Note SINGLE quotes, not DOUBLE quotes. Alan DeKok.
Hi, Thank you for the support, we will try it out in that way. Natalia On 3/30/06, Alan DeKok <aland@ox.org> wrote:
"Natalia Escalera" <nescalera@gmail.com> wrote:
Command: /usr/local/bin/radtest username "test$2006" x.x.x.x 1 test123 Output: Sending Access-Request of id 215 to x.x.x.x port 1812 User-Name = "username" User-Password = "test006" #<----- No dollar sign, no number 2
$2 is a Unix shell variable. This has nothing to do with FreeRADIUS.
/usr/local/bin/radtest username 'test$2006' x.x.x.x 1 test123
will work. Note SINGLE quotes, not DOUBLE quotes.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Alan DeKok -
Duane Cox -
Natalia Escalera -
Nicolas Baradakis -
Turtiainen, Tero