Accessing the "Authenticator" value from within a perl script

Alan DeKok aland at
Wed Jun 28 20:26:46 UTC 2023

On Jun 28, 2023, at 11:53 AM, Lannar Dean via Freeradius-Devel <freeradius-devel at> wrote:
> When using the perl module to process access-requests, is it possible to
> get the "Authenticator" value (NOT the Message-Authenticator)?

  it's in the virtual attribute Packet-Authentication-Vector.  You'll have to copy that to a "real" attribute for it to show up in rlm_perl

> There is a VSA which contains encoded data, which is using the encoding
> mechanism specified in RFC2865, which requires the Authenticator to
> decrypt. It does not decode properly when the dictionary specifies RFC2865
> (encrypt=1) or RFC2868 (encrypt=2), because the encrypted data is sometimes
> larger than 192 bytes which is not supported in the Password attribute.

  Edit src/lib/radius.c.  Find MAX_PASS_LEN.  Change (128) to (254).  Recompile.

> For example, I need access to the following value, visible in a packet
> capture, from within my perl script: Authenticator value
> <> (not the Message-Authenticator AVP
> <>)
> The text to be decrypted is present in a VSA that is defined in a
> dictionary, such as
> ATTRIBUTE    MyVendors-Special-Passphrase     44 string encrypt=1
> (also tried encrypt=2)

  That uses a completely different encryption method, and won't work for attributes which are supposed to use "encrypt=1".

  TBH the simplest thing is to just change MAX_PASS_LEN.  The RFCs say that User-Password is limited to 128 characters.  But I can't for the life of me think of an issue with allowing passwords to be longer than 128 bytes.

  Since pretty much no one ever sends passwords that long, changing MAX_PASS_LEN won't really affect anyone.

  Alan DeKok.

More information about the Freeradius-Devel mailing list