All password checks disabled... ugh

Alan DeKok aland at
Tue Apr 15 22:42:17 CEST 2014

Stefan Winter wrote:
>> Found that it is set in config. My pap module config is really minimal:
>>         pap {
>>                 auto_header = no

  The auto_header directive has been removed in v3.  The User-Password
is now always just the password.  The Password-With-Header attribute
should contain the header.

> Might do. Meanwhile, one of the mini things I found while chasing ghosts
> is that my "files" instance separates the username and the NT-Password
> := ABCDFOO with *spaces*, while the doc says it need to be tabs.

 Both spaces and tabs are accepted.  The "users" file parsing code
hasn't changed in v3.

> My theory is that it might have matched line 22, but not actually picked
> up the password; and then by some dubious assumption concluded "nothing
> to check, so Accept"?

  No.  If there's no Cleartext-Password, it should default to rejecting
the request.

> This doesn't explain why other clients on the same virtual server do
> check the NT-Password. Oh well.

  No idea.

  Alan DeKok.

More information about the Freeradius-Devel mailing list