All password checks disbaled... ugh
Stefan Winter
stefan.winter at restena.lu
Wed Apr 16 08:25:25 CEST 2014
Hi,
I think I have found it now: there is one difference between the two clients which exhibit this strange behaviour and all others which authenticate correctly.
The difference is in that the wrongly handled request were previously proxied to the "staff" virtual server; all other clients are dispatched immediately to that virtual server.
Below is a -X debug of a request that went to staff natively, and which works:
rad_recv: Access-Request packet from host 158.64.2.228 port 47328, id=105, length=63
User-Name = 'ctompers'
User-Password = 'sdfghjk'
NAS-Identifier = 'AAI-Staff-IdP'
(2) # Executing section authorize from file /usr/local/freeradius/config/raddb/sites-enabled/staff
(2) authorize {
(2) if ( "%{NAS-Identifier}" == "ejabberd" )
(2) EXPAND %{NAS-Identifier}
(2) --> AAI-Staff-IdP
(2) if ( "%{NAS-Identifier}" == "ejabberd" ) -> FALSE
(2) elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" )
(2) EXPAND %{NAS-Identifier}
(2) --> AAI-Staff-IdP
(2) elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" ) -> TRUE
(2) elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" ) {
(2) update request {
(2) RESTENA-Service-Type = 'Staff-AAI'
(2) } # update request = noop
(2) } # elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" ) = noop
(2) ... skipping else for request 2: Preceding "if" was taken
(2) if ( "%{client:staff_type}" == "Nagios-Login" && User-Name == "testuser.monitor" )
(2) EXPAND %{client:staff_type}
(2) --> Usermgt
(2) if ( "%{client:staff_type}" == "Nagios-Login" && User-Name == "testuser.monitor" ) -> FALSE
(2) if ( "%{RESTENA-Service-Type}" == "Staff-Jabber" )
(2) EXPAND %{RESTENA-Service-Type}
(2) --> Staff-AAI
(2) if ( "%{RESTENA-Service-Type}" == "Staff-Jabber" ) -> FALSE
(2) auth_log_silent : EXPAND /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail
(2) auth_log_silent : --> /var/log/radius/radacct/20140416/Staff-AAI-service/auth-detail
(2) auth_log_silent : /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail expands to /var/log/radius/radacct/20140416/Staff-AAI-service/auth-detail
(2) auth_log_silent : EXPAND %t
(2) auth_log_silent : --> Wed Apr 16 08:19:06 2014
(2) [auth_log_silent] = ok
(2) if ( "%{RESTENA-Service-Type}" == "Staff-IMAP" && "%{strlen:%{User-Password}}" == "96" )
(2) EXPAND %{RESTENA-Service-Type}
(2) --> Staff-AAI
(2) if ( "%{RESTENA-Service-Type}" == "Staff-IMAP" && "%{strlen:%{User-Password}}" == "96" ) -> FALSE
(2) else else {
(2) staff-auth : users: Matched entry ctompers at line 22
(2) [staff-auth] = ok
(2) } # else else = ok
(2) if ( "%{RESTENA-Service-Type}" == "Staff-AAI" )
(2) EXPAND %{RESTENA-Service-Type}
(2) --> Staff-AAI
(2) if ( "%{RESTENA-Service-Type}" == "Staff-AAI" ) -> TRUE
(2) if ( "%{RESTENA-Service-Type}" == "Staff-AAI" ) {
(2) staff-attributes : users: Matched entry ctompers at line 45
(2) [staff-attributes] = ok
(2) } # if ( "%{RESTENA-Service-Type}" == "Staff-AAI" ) = ok
(2) [mschap] = noop
(2) eap-staff : No EAP-Message, not doing EAP
(2) [eap-staff] = noop
(2) pap : Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(2) [pap] = updated
(2) if ( "%{Packet-Src-IP-Address}" == "158.64.1.229" )
(2) EXPAND %{Packet-Src-IP-Address}
(2) --> 158.64.2.228
(2) if ( "%{Packet-Src-IP-Address}" == "158.64.1.229" ) -> FALSE
(2) } # authorize = updated
(2) Found Auth-Type = PAP
(2) # Executing group from file /usr/local/freeradius/config/raddb/sites-enabled/staff
(2) Auth-Type PAP {
(2) pap : Login attempt with password
(2) pap : Comparing with "known-good" NT-Password
As you can see, staff/authorize/pap actually found the NT-Password and did it's stuff with it.
If you compare that with the same pap instance on the other request, it just says noop.
So, I can only suspect that the proxy-to-vserver functionality breaks it.
Greetings,
Stefan Winter
On 15.04.2014 10:26, Stefan Winter wrote:
> Hi,
>
> posting to devel, as this is possibly a severe bug. Apologies if not.
>
> In FR 2, I authenticated our staff against a users-style file, setting NT-Password := ...
>
> Their passwords were checked.
>
> In FreeRADIUS 3, I retained this, NT-Passwords are found, pap returns noop(?), authorize returns ok, and then I see
>
> Auth-Type = Accept, accepting the user
>
> *regardless of his password* ?
>
> I've rolled back the one affected vserver that had this problem, but would be really interested in an explanation. here is the -X flow:
>
> rad_recv: Access-Request packet from host 158.64.1.65 port 46814, id=96, length=63
> User-Name = 'ctompers'
> User-Password = ''
> NAS-Identifier = 'AAI-Staff-IdP'
> (11) # Executing section authorize from file /usr/local/freeradius/config/raddb/sites-enabled/AAI
> (11) authorize {
> (11) if ( NAS-Identifier == "AAI-Staff-IdP" )
> (11) if ( NAS-Identifier == "AAI-Staff-IdP" ) -> TRUE
> (11) if ( NAS-Identifier == "AAI-Staff-IdP" ) {
> (11) update request {
> (11) RESTENA-Service-Type := 'Staff-AAI'
> (11) } # update request = noop
> (11) } # if ( NAS-Identifier == "AAI-Staff-IdP" ) = noop
> (11) ... skipping else for request 11: Preceding "if" was taken
> (11) suffix : No '@' in User-Name = "ctompers", looking up realm NULL
> (11) suffix : No such realm "NULL"
> (11) [suffix] = noop
> (11) if ( NAS-Identifier == "AAI-Staff-IdP" )
> (11) if ( NAS-Identifier == "AAI-Staff-IdP" ) -> TRUE
> (11) if ( NAS-Identifier == "AAI-Staff-IdP" ) {
> (11) update control {
> (11) Proxy-To-Realm := 'TO-STAFF'
> (11) } # update control = noop
> (11) } # if ( NAS-Identifier == "AAI-Staff-IdP" ) = noop
> (11) ... skipping else for request 11: Preceding "if" was taken
> (11) } # authorize = noop
> Proxying to virtual server staff
> (11) # Executing section authorize from file /usr/local/freeradius/config/raddb/sites-enabled/staff
> (11) authorize {
> (11) if ( "%{NAS-Identifier}" == "ejabberd" )
> (11) EXPAND %{NAS-Identifier}
> (11) --> AAI-Staff-IdP
> (11) if ( "%{NAS-Identifier}" == "ejabberd" ) -> FALSE
> (11) elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" )
> (11) EXPAND %{NAS-Identifier}
> (11) --> AAI-Staff-IdP
> (11) elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" ) -> TRUE
> (11) elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" ) {
> (11) update request {
> (11) RESTENA-Service-Type = 'Staff-AAI'
> (11) } # update request = noop
> (11) } # elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" ) = noop
> (11) ... skipping else for request 11: Preceding "if" was taken
> (11) if ( "%{client:staff_type}" == "Nagios-Login" && User-Name == "testuser.monitor" )
> (11) Client does not contain config item "staff_type"
> (11) EXPAND %{client:staff_type}
> (11) -->
> (11) if ( "%{client:staff_type}" == "Nagios-Login" && User-Name == "testuser.monitor" ) -> FALSE
> (11) if ( "%{RESTENA-Service-Type}" == "Staff-Jabber" )
> (11) EXPAND %{RESTENA-Service-Type}
> (11) --> Staff-AAI
> (11) if ( "%{RESTENA-Service-Type}" == "Staff-Jabber" ) -> FALSE
> (11) auth_log_silent : EXPAND /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail
> (11) auth_log_silent : --> /var/log/radius/radacct/20140415/Staff-AAI-service/auth-detail
> (11) auth_log_silent : /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail expands to /var/log/radius/radacct/20140415/Staff-AAI-service/auth-detail
> (11) auth_log_silent : EXPAND %t
> (11) auth_log_silent : --> Tue Apr 15 09:57:57 2014
> (11) [auth_log_silent] = ok
> (11) if ( "%{RESTENA-Service-Type}" == "Staff-IMAP" && "%{strlen:%{User-Password}}" == "96" )
> (11) EXPAND %{RESTENA-Service-Type}
> (11) --> Staff-AAI
> (11) if ( "%{RESTENA-Service-Type}" == "Staff-IMAP" && "%{strlen:%{User-Password}}" == "96" ) -> FALSE
> (11) else else {
> (11) staff-auth : users: Matched entry ctompers at line 22
> (11) [staff-auth] = ok
> (11) } # else else = ok
> (11) if ( "%{RESTENA-Service-Type}" == "Staff-AAI" )
> (11) EXPAND %{RESTENA-Service-Type}
> (11) --> Staff-AAI
> (11) if ( "%{RESTENA-Service-Type}" == "Staff-AAI" ) -> TRUE
> (11) if ( "%{RESTENA-Service-Type}" == "Staff-AAI" ) {
> (11) staff-attributes : users: Matched entry ctompers at line 45
> (11) [staff-attributes] = ok
> (11) } # if ( "%{RESTENA-Service-Type}" == "Staff-AAI" ) = ok
> (11) [mschap] = noop
> (11) [eap-staff] = noop
> (11) [pap] = noop
> (11) if ( "%{Packet-Src-IP-Address}" == "158.64.1.229" )
> (11) EXPAND %{Packet-Src-IP-Address}
> (11) --> 158.64.1.65
> (11) if ( "%{Packet-Src-IP-Address}" == "158.64.1.229" ) -> FALSE
> (11) } # authorize = ok
> (11) Auth-Type = Accept, accepting the user
> (11) # Executing section post-auth from file /usr/local/freeradius/config/raddb/sites-enabled/staff
> (11) post-auth {
> (11) restena_log_policy restena_log_policy {
>
> You see two files matches:
>
> the first one, "staff-auth : users: Matched entry ctompers at line 22" is the NT-Password:
>
> [...]
> ctompers NT-Password := EA38E7ADC559499F31CF4FA0F195ABCD
> [...]
>
> (the password hash is edited)
>
> The second match is a series of reply attributes, none of which is Auth-Type of course. The match at that line 45 is expected.
>
> But... WHY does it not check the password against the NT-Password? This same config works with FreeRADIUS 2; pap returns updated, authorize returns updated, and authenticate checks the input against the configured password?
>
> Greetings,
>
> Stefan Winter
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3243 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140416/f54fa732/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140416/f54fa732/attachment.pgp>
More information about the Freeradius-Devel
mailing list