Old password 'grace period'

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Thu Jun 25 13:29:09 CEST 2009



-------- Original Message --------
Subject: Re: Old password 'grace period'
Date: Thu, 25 Jun 2009 12:11:07 +0100
From: Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>
Organization: University of Sussex
To: tnt at kalik.net

[snip]

> I have tested something like this yesterday - it doesn't. You can't just
> replace Cleartext-Password. NT-Password and LM-Passowrd were created for
> the "new" password and mschap module will reuse them, completely ignoring
> "old" Cleartext-Password. They need to be removed or replaced before
> mschap module is called again.

Ahhh ok... Yes, the code agrees with you :)

   } else if (!password) {
                 RDEBUG2("No Cleartext-Password configured.  Cannot create LM-Password.");

         } else {                /* there is a configured Cleartext-Password */
                 lm_password = radius_pairmake(request, &request->config_items,
                                               "LM-Password", "", T_OP_EQ);

Writes the NT-Password and LM-Password values back to the control list of the request.

But seeing as the values are just being stored in the control list of the request,
we can remove them using unlang.


authenticate {
     mschap {
         update control {
             Cleartext-Password := "%{sql_new:SELECT <cleartext password query...>}"
         }
         mschap {
             reject = 2
         }
         if(reject){
             update control {
		NT-Password -= "%{control:NT-Password}"
		LM-Password -= "%{control:LM-Password}"
                 Cleartext-Password := "%{sql_old:SELECT <cleartext password query...>}"
             }
             mschap
         }
     }
}

Thanks,
Arran
-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2

-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2



More information about the Freeradius-Users mailing list