Multiple Cleartext-Password?

Brian Candler B.Candler at pobox.com
Thu May 19 12:28:42 CEST 2011


On Wed, May 18, 2011 at 11:20:14AM -0400, Garber, Neal wrote:
> > Has anyone made a patch to rlm_pap and rlm_chap so 
> > that it supports multiple instances of Cleartext-Password?
> > The idea would be to succeed if the incoming request matches
> > any one of them.
> 
> You wouldn't have multiple Cleartext-Password attributes. You
> would just have one in the request (the one entered by the user).

The one entered by the user is in User-Password (or CHAP-Password or
whatever), not Cleartext-Password.

> You want to compare against multiple passwords.

The password that auth_pap/auth_chap compares against is in a
Cleartext-Password attribute in the control list. So we'd need multiple
instances of that.

> Are you using 
> the users file?

No, we're using mysql, but it doesn't make any difference to this
discussion.

> If so, couldn't you just list multiple entries 
> for each user (one for each password that is acceptable)?

That doesn't work - try it and see:

somebody	Cleartext-Password := "foo"
		Fall-Through = Yes

somebody	Cleartext-Password += "bar"

The auth_pap / auth_chap modules only validate the first Cleartext-Password
found.

Regards,

Brian.



More information about the Freeradius-Devel mailing list