Accessing the "Authenticator" value from within a perl script
Alan DeKok
aland at deployingradius.com
Wed Jun 28 20:26:46 UTC 2023
On Jun 28, 2023, at 11:53 AM, Lannar Dean via Freeradius-Devel <freeradius-devel at lists.freeradius.org> wrote:
>
> When using the perl module to process access-requests, is it possible to
> get the "Authenticator" value (NOT the Message-Authenticator)?
it's in the virtual attribute Packet-Authentication-Vector. You'll have to copy that to a "real" attribute for it to show up in rlm_perl
> There is a VSA which contains encoded data, which is using the encoding
> mechanism specified in RFC2865, which requires the Authenticator to
> decrypt. It does not decode properly when the dictionary specifies RFC2865
> (encrypt=1) or RFC2868 (encrypt=2), because the encrypted data is sometimes
> larger than 192 bytes which is not supported in the Password attribute.
Edit src/lib/radius.c. Find MAX_PASS_LEN. Change (128) to (254). Recompile.
> For example, I need access to the following value, visible in a packet
> capture, from within my perl script: Authenticator value
> <https://i.stack.imgur.com/p6LTq.png> (not the Message-Authenticator AVP
> <https://i.stack.imgur.com/dB4q4.png>)
>
> The text to be decrypted is present in a VSA that is defined in a
> dictionary, such as
>
> ATTRIBUTE MyVendors-Special-Passphrase 44 string encrypt=1
>
> (also tried encrypt=2)
That uses a completely different encryption method, and won't work for attributes which are supposed to use "encrypt=1".
TBH the simplest thing is to just change MAX_PASS_LEN. The RFCs say that User-Password is limited to 128 characters. But I can't for the life of me think of an issue with allowing passwords to be longer than 128 bytes.
Since pretty much no one ever sends passwords that long, changing MAX_PASS_LEN won't really affect anyone.
Alan DeKok.
More information about the Freeradius-Devel
mailing list