PAM radius module and "Prompt" attribute.

ugengia-reg at yahoo.it ugengia-reg at yahoo.it
Fri Oct 31 16:31:47 CET 2008 

Hi,
the proposed patch doesn't work on solaris 10 & RSA Authentication Manager 7.1: "Bus Error" and core-dump when the Access-Challenge is received.

The following patch works (gcc 3.4.3):

--- pam_radius_auth.c.orig	Tue Oct 28 13:07:22 2008
+++ pam_radius_auth.c	Wed Oct 29 15:11:20 2008
@@ -1188,8 +1188,9 @@
    *  challenges as we receive.
    */
   while (response->code == PW_ACCESS_CHALLENGE) {
-    attribute_t *a_state, *a_reply;
+    attribute_t *a_state, *a_reply, *a_prompt;
     char challenge[BUFFER_SIZE];
+    int prompt;
 
     /* Now we do a bit more work: challenge the user, and get a response */
     if (((a_state = find_attribute(response, PW_STATE)) == NULL) ||
@@ -1212,8 +1213,18 @@
     memcpy(challenge, a_reply->data, a_reply->length - 2);
     challenge[a_reply->length - 2] = 0;
 
+    prompt = PAM_PROMPT_ECHO_ON;
+    if((a_prompt = find_attribute(response, PW_PROMPT)) != NULL){
+      uint32_t prompt_val_net = 0;
+      uint32_t prompt_val = 0;
+      memcpy((void *)&prompt_val_net, (void *) a_prompt->data, sizeof(uint32_t));
+      prompt_val = ntohl(prompt_val_net);
+      DPRINT(LOG_DEBUG, "Got Prompt=%d",prompt_val);
+      if(!prompt_val) prompt=PAM_PROMPT_ECHO_OFF;
+    }
+
     /* It's full challenge-response, we should have echo on */
-    retval = rad_converse(pamh, PAM_PROMPT_ECHO_ON, challenge, &resp2challenge);
+    retval = rad_converse(pamh, prompt, challenge, &resp2challenge);
 
     /* now that we've got a response, build a new radius packet */
     build_radius_packet(request, user, resp2challenge, &config);
--- radius.h.orig	Tue Oct 28 13:07:29 2008
+++ radius.h	Tue Oct 28 13:12:36 2008
@@ -123,7 +123,7 @@
 #define PW_NAS_PORT_TYPE                61      /* integer */
 #define PW_PORT_LIMIT                   62      /* integer */
 #define PW_LOGIN_LAT_PORT               63      /* string */
-#define PW_PROMPT                       64      /* integer */
+#define PW_PROMPT                       76      /* integer */
 
 /*
  *	INTEGER TRANSLATIONS

Regards,
Cesare

--- Mer 22/10/08, Alan DeKok <aland at deployingradius.com> ha scritto:

> Da: Alan DeKok <aland at deployingradius.com>
> Oggetto: Re: PAM radius module and "Prompt" attribute.
> A: ugengia-reg at yahoo.it, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Data: Mercoledì 22 ottobre 2008, 18:40
> ugengia-reg at yahoo.it wrote:
> > All is working well, but I found a problem when the
> PAM module receives an Access-Challenge.
> > 
> > Here is the problem: even if the RADIUS server sends a
> Prompt="No Echo" attribute, my PAM conversation
> function receives a PAM_PROMPT_ECHO_ON msg_style instead of
> a PAM_PROMPT_ECHO_OFF.
> 
>  See: http://bugs.freeradius.org/show_bug.cgi?id=609
> 
> > As far as I know the Prompt attribute is not mandatory
> for RFC 2865 compliance, in fact this attribute is specified
> into RFC 2869 - Radius Extensions.
> > 
> > The question is: will the Prompt attribute be
> supported in a future release of the PAM service module?
> 
>   Possibly, yes.
> 
>   Alan DeKok.


      Unisciti alla community di Io fotografo e video, il nuovo corso di fotografia di Gazzetta dello sport:
http://www.flickr.com/groups/iofotografoevideo

More information about the Freeradius-Users mailing list