filter_username and regexps broken

Sam Hartman hartmans at mit.edu
Thu Mar 5 17:28:04 CET 2015 

I'm getting a request denied because the username matches \.\., but I
don't see why that should be true

Thread 3 handling request 0, (1 handled so far)
(0) Received Access-Request Id 0 from 127.0.0.1:53392 to 0.0.0.0:2083 length 130
(0)   User-Name = '@apc.painless-security.com'
(0)   GSS-Acceptor-Service-Name = 'trustidentity'
(0)   GSS-Acceptor-Host-Name = 'hartmans.local'
(0)   EAP-Message = 0x0200001f01406170632e7061696e6c6573732d73656375726974792e636f6d
(0)   Message-Authenticator = 0xc977441e8dda36e128cbd617a7f16ed1
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/abfab-tr-idp
(0)   authorize {
(0)     policy psk_authorize {
(0)       if (tls-psk-identity =* ANY) {
(0)       if (tls-psk-identity =* ANY)  -> FALSE
(0)     } # policy psk_authorize = notfound
(0)     policy filter_username {
(0)       if (!&User-Name) {
(0)       if (!&User-Name)  -> FALSE
(0)       if (&User-Name =~ / /) {
(0)       if (&User-Name =~ / /)  -> FALSE
(0)       if (&User-Name =~ /@.*@/ ) {
(0)       if (&User-Name =~ /@.*@/ )  -> FALSE
(0)       if (&User-Name =~ /\.\./ ) {
(0)       if (&User-Name =~ /\.\./ )  -> TRUE
(0)       if (&User-Name =~ /\.\./ )  {
(0)         update reply {
(0)           &Reply-Message += 'Rejected: Username contains ..s'
(0)         } # update reply = noop
(0)         [reject] = reject
(0)       } # if (&User-Name =~ /\.\./ )  = reject
(0)     } # policy filter_username = reject
(0)   } # authorize = reject
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/abfab-tr-idp
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> @apc.painless-security.com
(0) attr_filter.access_reject: Matched entry DEFAULT at line 18
(0)     [attr_filter.access_reject] = updated
(0)     if &reply:Eap-Message {
(0)     if &reply:Eap-Message  -> FALSE
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Thread 3 waiting to be assigned a request
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 0 from 0.0.0.0:2083 to 127.0.0.1:53392 length 53
(0)   Reply-Message += 'Rejected: Username contains ..s'
Waking up in 3.9 seconds.
Closing TLS socket from client port 53392
(0) >>> TLS 1.0 Alert [length 0002], warning close_notify 
Client has closed connection
Waking up in 3.9 seconds.

More information about the Freeradius-Devel mailing list