Garbage password from pam_radius_auth with skip_passwd set
I'm using pam_radius_auth with 'skip_passwd' to talk to FreeRADIUS, and seem to be receiving garbage passwords in the initial request, instead of the empty password I expected. (USAGE says pam_radius_auth sends a "NULL" password, but I don't know if it means the User-Password field is to be zero-length, zero-filled, or nonexisting.) PAM config: auth required pam_radius_auth-1.4.0.so debug skip_passwd The User-Password contained in the initial request appears as 16 random-looking bytes:
------------- freeradius -X rad_recv: Access-Request packet from host 127.0.0.1 port 41394, id=210, length=72 User-Name = "user" User-Password = "\222\350)\2304Z@ \374\217G>߇<\t" ...
rlm_perl: test.pl: RAD_REQUEST: User-Password = '\222\350)\2304Z@ \374\217G>�?<\t' rlm_perl: Added pair User-Password = \222\350)\2304Z@ \374\217G>�?<\t
The "rlm_perl: test.pl" line comes from a perl script that just prints the received values, like example.pl. If I give an empty response to a password prompt, I get the empty password as expected:
------------- freeradius -X rad_recv: Access-Request packet from host 127.0.0.1 port 41394, id=211, length=71 User-Name = "user" User-Password = ""
rlm_perl: test.pl: RAD_REQUEST: User-Password = '' rlm_perl: Added pair User-Password =
This works with both the initial password prompt if skip_passwd is not set, and in replies to any Access-Challenges sent later on. I don't think this is the expected behaviour given the documentation, any thoughts?
On Fri, Feb 03, 2017 at 04:34:23PM +0200, Ilkka Virta wrote:
The User-Password contained in the initial request appears as 16 random-looking bytes:
I don't think this is the expected behaviour given the documentation, any thoughts?
Shared secret is wrong? Check it's identical at both ends. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 3.2. 16:41, Matthew Newton wrote:
On Fri, Feb 03, 2017 at 04:34:23PM +0200, Ilkka Virta wrote:
The User-Password contained in the initial request appears as 16 random-looking bytes:
I don't think this is the expected behaviour given the documentation, any thoughts?
Shared secret is wrong? Check it's identical at both ends.
No, the shared secret is correct. If it were wrong, _all_ passwords would be garbled, not just the one in the initial query. The client would also complain about an invalid authenticator. But user-entered passwords work, empty or otherwise.
participants (2)
-
Ilkka Virta -
Matthew Newton