Old password 'grace period'

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Thu Jun 25 15:53:12 CEST 2009

On 25/6/09 12:01, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>> I leave you guys alone for 5 minutes....
> 8-)  as i said, theres probably a way of doing it

:P Granted, was trickier than it first appeared. After a brief discussion with Ivan, looks like this should work (he pointed out the security hole with not checking for a null old password)...

instantiate {

authorize {
     # Retrieves credentials
     # Sets auth-type mschap

authenticate {
     Auth-Type MS-CHAP {
	mschap {
             reject = 2
		# Could alternatively write the value of a custom attribute into Cleartext-password
		# if both old and new passwords were returned in the call to sql* in authorize.
		update control {
			Cleartext-Password := "%{sql_old:SELECT<cleartext password query...>}"
     		# Stop users logging in with null password (if there's no 'old' password set)
		if("%{control:Cleartext-Password}" == ''){
		# Remove stale password hashes created on first call to rlm_mschap
		update control {
			NT-Password -= "%{control:NT-Password}"
			LM-Password -= "%{control:LM-Password}"

Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2

More information about the Freeradius-Users mailing list