Modifying User-Name and User-Password attributes in a module
Arash Yadegarnia
arash at bluehome.net
Wed Apr 9 16:28:35 CEST 2008
Thanks for the answer,
Stefan Winter wrote:
> Hi,
>
>
>> I've been working on a freeradius module which will operate in pre-proxy
>> and post-proxy mode. I need to modify the user-password
>> (PW_USER_PASSWORD) attribute in pre-proxy and return an RLM_MODULE_UPDATED.
>>
>
> Hm, why doesn't updating this stuff with
>
> update request {
> User-Name := whatever
> User-Password := wh4t3v3r
> }
>
> in the pre-proxy section work? No need for a module then... And if I may ask,
> why would you need to modify name and password for proxying? If it's just
> about cutting out realms, there is an excellent realm module to do that for
> you.
>
Yes, I can do that for static modifications, but in my case I have to
split the password and extract N bytes from it, which is a One-time
password for 2 factor authentication. I have to receive AUTH_ACK from
main radius server using the original password and then process the
second authentication stage with a 2 factor authentication manager using
that N bytes long OTP. (Connecting to 2FA server, sending OTP and
receiving result) This is why I need to do it in a module.
Now, any ideas on which of the user-password vp's I have to change ?
>
>> And last question, Is it safe to modify the Proxy-State attribute in
>> pre-proxy stage? somewhere in event.c, the comments says that, RFC
>> requires it (Proxy-State) but freeradius doesn't need it, and just
>> fills it with packet->id (which is a random number). Since RFC forbids
>> adding more than one Proxy-State too the packet, and also having in mind
>> that I don't want to introduce a new attribute (bothering dictionary
>> files), Can I use the same Proxy-State (filed by freeradius with
>> packet->id) to store my own data in it ?
>>
>
> Again, why on earth would you want to do that? If you want to send information
> in a packet, there's no need to abuse Proxy-State... define your own
> attribute.
>
I know this is ugly. So, If I define my own attributes, is it necessary
for main RADIUS server (which we proxy to) to have modified dictionary
files ? or it will simply ignore those unknown attributes ?
> Stefan Winter
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20080409/e7ed9d04/attachment.html>
More information about the Freeradius-Devel
mailing list