regex 'fun'

[Alexander Clouter]

Alan DeKok <aland at deployingradius.com> wrote:
>
> Alexander Clouter wrote:
>> Okay, maybe my regex is bad...so I tested it:
>> ----
>> alex at berk:~$ cat moo 
>> xwFMNc02QnAbZlQ9wI9tiG at GlobalSignRootCA.test
>> xwFMNc02QnAbZlQ9wI9tiG at GlobalSign Root CA
>> wobble at example.com
>> wibble at example.co.uk
>> 
>> alex at berk:~$ grep '[[:graph:]]*@\([-[:alnum:]]\+\.\)\+[[:alpha:]]\{2,\}' moo
>> xwFMNc02QnAbZlQ9wI9tiG at GlobalSignRootCA.test
>> wobble at example.com
>> wibble at example.co.uk
>> ----
>> 
>> Any ideas?  Bug?  Feature?
> 
>  FreeRADIUS uses the system regex libraries.  grep might be using its
> own regex implementation.
> 
>  Specifically, I'm not sure [[:alpha:]] and friends are supported by
> the system regex library.
> 
grep implies it does in the man page, and I am using the *basic* regex  
mode too.

I got those :alpha:-n-chums actually working and tested them with a 
bunch of test cases; they definitely seem to be doing what I would 
expect...well unless the realm has a space in it :)

Ignoring the 'space', the fact that there is not '.' in the Globalsign 
realms should have caused it to be rejected, which to me rules out the 
'alnum'/'alpha' bits surely?  

>  I would suggest writing the rules to sanitize realms in layers:
> 
> - reject requests containing malformed User-Names (spaces, etc.)
> - proxy *known* realms to another virtual server to handle them
> - proxy *other* realms to eduroam.
> 
I already do that, it's the malformed and non-routable (EAP-SIM-esque 
realms) realm's that are the problem.

> Eduroam should really be creating a routing protocol for RADIUS.  I 
> don't think it would be hard: git + ssh + text files.  See Section 2.7 
> of:
> 
> http://tools.ietf.org/id/draft-dekok-radext-nai-00.txt
> 
I never understood why eduroam just didn't use SRV records against 
the realm to find the RADIUS server and a DNS based whitelist to 
validate which realms were part of the community. :-/

For that tiny amount of effort you get to remove those darn proxy 
servers and more reliability (large TTL's on realm whitelist), plus 
when DNSSEC gets rolled out to .ac.uk and where ever...you get that for 
free too.

The only complication I can see is the Message-Authenticator I think, 
however I would imagine the .ac.uk community can dig into the sofa for 
some loose change to hire some FreeRADIUS consultant...if he is not too 
busy lying with his feet kicked up in France with fresh food and good 
wine :)

At this point I would imagine the eduroam world will descend upon me 
saying "the world is not 'a' FreeRADIUS", to which I reply "then you 
will not be part of it" if you are too lazy to configure a 'dumb' 
standalone FreeRADIUS proxy :)

However, I am just a network monkey, no one listens to me :)

Cheers

-- 
Alexander Clouter
.sigmonster says: You're not Dave.  Who are you?