2.x.x (and earier?): yet another decoding SSHA issue

Stefan Winter stefan.winter at restena.lu
Thu Jul 18 15:15:22 CEST 2013


Hi,

> The solution I posted earlier should work fine:
> 
> update control {
> 	SSHA1-Password = "%{base64tohex:SSHA1-Password-Base64}"
> }
> 
> You will need to define the local string attribute 'SSHA1-Password-Base64' and change the attribute in the database. 

Doesn't do the trick for me. I defined a VSA in our space,
RESTENA-SSHA1-Password, as a string. I then modified our DB queries to
always set that new attribute name instead of the "SSHA1-Password"
they'd usually return. The query works as expected (verified on the DB
server).

Here is the result:

* when using: SSHA1-Password = "%{base64tohex:RESTENA-SSHA1-Password}"

rlm_sql_mysql: query:  (SELECT id, username, 'RESTENA-SSHA1-Password',
value, op FROM check_smtp_ssha1 WHERE username='xyz')
[sql-smtp-hash] User found in radcheck table
rlm_sql (sql-smtp-hash): Released sql socket id: 0
+++[sql-smtp-hash] returns ok
++- policy redundant returns ok
        expand: RESTENA-SSHA1-Password -> RESTENA-SSHA1-Password
rlm_expr: base64 string invalid
        expand: %{base64tohex:RESTENA-SSHA1-Password} ->
++[control] returns ok

The base64 as are in the DB are not invalid; we use them for auth all
the time. I suspect that the string "RESTENA-SSHA1-Password" is taken
literally, and is of course not a valid base64 string.

I tried to be clever and force an expansion of the attribute content with:

* SSHA1-Password := "%{base64tohex:%{RESTENA-SSHA1-Password}}"

But that makes xlat fail completely. Maybe that's me not understanding
unlang enough though.

rlm_sql_mysql: query:  (SELECT id, username, 'RESTENA-SSHA1-Password',
value, op FROM check_smtp_ssha1 WHERE username='xyz')
[sql-smtp-hash] User found in radcheck table
rlm_sql (sql-smtp-hash): Released sql socket id: 2
+++[sql-smtp-hash] returns ok
++- policy redundant returns ok
        expand: %{RESTENA-SSHA1-Password} ->
rlm_expr: xlat failed.
        expand: %{base64tohex:%{RESTENA-SSHA1-Password}} ->
++[control] returns ok

Any comment as to how to make this work?

This is on 2.x.x from today's GIT BTW, as it's the first version that
works without any modifications on systemd. Except for the 0X thing of
course; otherwise I'd be happy with a 2.2.1 rollout.

Stefan

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20130718/06a416fa/attachment.pgp>


More information about the Freeradius-Devel mailing list