Parse error for non-hex characters in users file
Hello list, Working with a FreeRADIUS 2.2.8 (I know, it’s “old” but for the moment, upgrade is not really a possible way) I am getting the following error when trying to start radiusd. Error: Parse error (check) for entry my_awesome_username: Non-hex characters at gX The users file specified by the error message does contains some “hex characters” as the “hashed password” for a user entry. ie: “my_awesome_username” MD5-Password := “0X………" It looks to me like FreeRADIUS is trying to interpret the password as an hexadecimal value and then breaks… I found out that there may be a fix for this exact “issue” introduced in FreeRADIUS 3.0.6 (https://lists.freeradius.org/pipermail/freeradius-users/2015-February/075885... <https://lists.freeradius.org/pipermail/freeradius-users/2015-February/075885.html>) Handle NT-Hash in rlm_pap. This allows passwords to have backslashes in them. I was wondering if someone could point me to the patch file / the fix itself so that I can evaluate if it is something possible to port that fix onto my 2.2.8 version. Thanks! Cheers! -dw. — Derek Wuelfrath dwuelfrath@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
On May 11, 2016, at 10:38 AM, Derek Wuelfrath <dwuelfrath@inverse.ca> wrote:
Working with a FreeRADIUS 2.2.8 (I know, it’s “old” but for the moment, upgrade is not really a possible way)
Upgrades are always possible. The only reason to *not* upgrade is political.
I am getting the following error when trying to start radiusd.
Error: Parse error (check) for entry my_awesome_username: Non-hex characters at gX
The users file specified by the error message does contains some “hex characters” as the “hashed password” for a user entry.
ie: “my_awesome_username” MD5-Password := “0X………"
It looks to me like FreeRADIUS is trying to interpret the password as an hexadecimal value and then breaks…
The MD5-Password is *defined* to take hex characters. i.e. MD5-Password := 0xabcdef01234 So... what are you trying to put into the MD5-Password attribute? The clear text password? If so, use Cleartext-Password.
I found out that there may be a fix for this exact “issue” introduced in FreeRADIUS 3.0.6 (https://lists.freeradius.org/pipermail/freeradius-users/2015-February/075885... <https://lists.freeradius.org/pipermail/freeradius-users/2015-February/075885.html>) Handle NT-Hash in rlm_pap. This allows passwords to have backslashes in them.
That's a different fix.
I was wondering if someone could point me to the patch file / the fix itself so that I can evaluate if it is something possible to port that fix onto my 2.2.8 version.
Ensure that you're using hex for MD5-Password, and clear text for Cleartext-Password. The most likely explanation is that you're doing something wrong. Since you didn't show *exactly* what you're doing, that's the best answer you're going to get. Alan DeKok.
Upgrades are always possible. The only reason to *not* upgrade is political.
Which is exactly the case ;)
It looks to me like FreeRADIUS is trying to interpret the password as an hexadecimal value and then breaks…
The MD5-Password is *defined* to take hex characters. i.e.
MD5-Password := 0xabcdef01234
So... what are you trying to put into the MD5-Password attribute? The clear text password?
If so, use Cleartext-Password.
It is actually the “hashed” clear text password, on which I unfortunately do not have control…
I found out that there may be a fix for this exact “issue” introduced in FreeRADIUS 3.0.6 (https://lists.freeradius.org/pipermail/freeradius-users/2015-February/075885... <https://lists.freeradius.org/pipermail/freeradius-users/2015-February/075885.html>) Handle NT-Hash in rlm_pap. This allows passwords to have backslashes in them.
That's a different fix.
Excellent! Thanks for pointing this out.
The most likely explanation is that you're doing something wrong. Since you didn't show *exactly* what you're doing, that's the best answer you're going to get.
I’ll complete some other tests and will report if necessary. Unfortunately (yeah, again) I cannot “show exactly” what I’m doing due to political reasons. I know that it is hard to help in those circumstances but I was seeking for advise on the specified “fix” (which you said was not related) and was simply explaining my situation. Thanks Alan! Cheers! -dw. — Derek Wuelfrath dwuelfrath@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
On May 11, 2016, at 10:48, Alan DeKok <aland@deployingradius.com> wrote:
On May 11, 2016, at 10:38 AM, Derek Wuelfrath <dwuelfrath@inverse.ca> wrote:
Working with a FreeRADIUS 2.2.8 (I know, it’s “old” but for the moment, upgrade is not really a possible way)
Upgrades are always possible. The only reason to *not* upgrade is political.
I am getting the following error when trying to start radiusd.
Error: Parse error (check) for entry my_awesome_username: Non-hex characters at gX
The users file specified by the error message does contains some “hex characters” as the “hashed password” for a user entry.
ie: “my_awesome_username” MD5-Password := “0X………"
It looks to me like FreeRADIUS is trying to interpret the password as an hexadecimal value and then breaks…
The MD5-Password is *defined* to take hex characters. i.e.
MD5-Password := 0xabcdef01234
So... what are you trying to put into the MD5-Password attribute? The clear text password?
If so, use Cleartext-Password.
I found out that there may be a fix for this exact “issue” introduced in FreeRADIUS 3.0.6 (https://lists.freeradius.org/pipermail/freeradius-users/2015-February/075885... <https://lists.freeradius.org/pipermail/freeradius-users/2015-February/075885.html>) Handle NT-Hash in rlm_pap. This allows passwords to have backslashes in them.
That's a different fix.
I was wondering if someone could point me to the patch file / the fix itself so that I can evaluate if it is something possible to port that fix onto my 2.2.8 version.
Ensure that you're using hex for MD5-Password, and clear text for Cleartext-Password.
The most likely explanation is that you're doing something wrong. Since you didn't show *exactly* what you're doing, that's the best answer you're going to get.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 11-05-16 16:56, Derek Wuelfrath wrote:
The most likely explanation is that you're doing something wrong. Since you didn't show *exactly* what you're doing, that's the best answer you're going to get.
I’ll complete some other tests and will report if necessary. Unfortunately (yeah, again) I cannot “show exactly” what I’m doing due to political reasons. I know that it is hard to help in those circumstances but I was seeking for advise on the specified “fix” (which you said was not related) and was simply explaining my situation.
Just a wild guess: did you add the base64-encoded version of the md5 password instead of the hex-version? -- Herwin Weststrate
participants (3)
-
Alan DeKok -
Derek Wuelfrath -
Herwin Weststrate