username with sereral passwords. Which op value?
Kenneth Grady
klg at lanl.gov
Wed Apr 22 21:39:40 CEST 2009
John Dennis wrote:
> Santiago Balaguer García wrote:
>> Hi,
>>
>> I want the 'san0001' user has two passwords. There is in my
>> radcheck table:
>>
>> Username | Attribute | op | value
>> ------------------------------------
>> san0001 Password ?? santi1
>> san0001 Password ?? santi2
>>
>> Which op value have to use (=, :=, +=, ==) ?
:= is the proper op for Cleartext-Password or for User-Password
== works only for User-Password but warns you to change it to :=
I don't know about Password.
>
> Multiple valid passwords for a single user is a bad idea for a host of
> reasons. On top of that the username field should be a unique primary
> key disallowing duplicates enforced by the SQL database. I have no
> clue what it means to query a username and get multiple rows back and
> I suspect the internal code would be confused by this as well (note I
> have not looked at the code in question, but I would suspect it would
> do one of two things, use the first row returned or fail with an error
> if multiple rows). The concept of iterating over multiple rows until a
> password finally works is so dubious I would be most surprised if it
> were coded this way (and if it was I'd consider it a bug and security
> flaw).
We just don't have enough information to make a decision. If the query
returns id,Username,Attribute, op, value sorted by id, perhaps we
could. If the attributes were
san0001 Cleartext-Password := santi1
san0001 NAS-IP-Address == 123.123.123.123
san0001 Cleartext-Password := santi2
san0001 NAS-IP-Address == 234.234.234.234
It might make sense to have different passwords on different NAS boxes.
>
> The short answer is don't do this and don't expect the server to work
> this way.
>
> --
> John Dennis <jdennis at redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list