Expired unix system passwords

James Smallacombe up at 3.am
Thu Oct 1 17:40:33 CEST 2009


On Wed, 30 Sep 2009, Ivan Kalik wrote:

>> We have a client running FreeRadius 2.1.6 on a Linux box authenticating
>> against shadow passwords.  I've gone over the radiusd.conf and it appears
>> that the expire module is enabled by default in the global config (there
>> are no virtual servers here).  However, FreeRadius appears to be ignoring
>> this attribute and authenticating users with expired passwords anyway.  I
>> tried expiring the account and that worked, but it would be much better to
>> have it respect expired passwords.
>
> Debug?
>
> Ivan Kalik

Ok, here's the output running with "-xx" debugging:

group = wheel
user = root
including dictionary file /usr/etc/raddb/dictionary
main {
 	prefix = "/usr"
 	localstatedir = "/usr/var"
 	logdir = "/var/log/radius"
 	libdir = "/usr/lib"
 	radacctdir = "/var/log/radius/radacct"
 	hostname_lookups = no
 	max_request_time = 30
 	cleanup_delay = 5
 	max_requests = 1024
 	allow_core_dumps = no
 	pidfile = "/usr/var/run/radiusd/radiusd.pid"
 	checkrad = "/usr/sbin/checkrad"
 	debug_level = 0
 	proxy_requests = no
  log {
 	stripped_names = no
 	auth = yes
 	auth_badpass = yes
 	auth_goodpass = no
  }
  security {
 	max_attributes = 200
 	reject_delay = 1
 	status_server = yes
  }
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
  client localhost {
 	ipaddr = 127.0.0.1
 	require_message_authenticator = no
 	secret = "DELETED"
 	nastype = "other"
  }
  client 216.1.12.66 {
 	require_message_authenticator = no
 	secret = "DELETED"
 	shortname = "cisco_pptp"
 	nastype = "cisco"
  }
  client 192.168.3.36 {
 	require_message_authenticator = no
 	secret = "DELETED"
 	shortname = "s036"
 	nastype = "other"
  }
  client 216.1.12.74 {
 	require_message_authenticator = no
 	secret = "DELETED"
 	shortname = "utopia"
 	nastype = "other"
  }
radiusd: #### Instantiating modules ####
  instantiate {
  Module: Linked to module rlm_exec
  Module: Instantiating exec
   exec {
 	wait = yes
 	input_pairs = "request"
 	shell_escape = yes
   }
  Module: Linked to module rlm_expr
  Module: Instantiating expr
  Module: Linked to module rlm_expiration
  Module: Instantiating expiration
   expiration {
 	reply-message = "Password Has Expired  "
   }
  Module: Linked to module rlm_logintime
  Module: Instantiating logintime
   logintime {
 	reply-message = "You are calling outside your allowed timespan  "
 	minimum-timeout = 60
   }
  }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
  modules {
  Module: Checking authenticate {...} for more modules to load
  Module: Linked to module rlm_pap
  Module: Instantiating pap
   pap {
 	encryption_scheme = "auto"
 	auto_header = no
   }
  Module: Linked to module rlm_chap
  Module: Instantiating chap
  Module: Linked to module rlm_mschap
  Module: Instantiating mschap
   mschap {
 	use_mppe = yes
 	require_encryption = no
 	require_strong = no
 	with_ntdomain_hack = no
   }
  Module: Linked to module rlm_unix
  Module: Instantiating unix
   unix {
 	radwtmp = "/var/log/radius/radwtmp"
   }
  Module: Linked to module rlm_eap
  Module: Instantiating eap
   eap {
 	default_eap_type = "md5"
 	timer_expire = 60
 	ignore_unknown_eap_types = no
 	cisco_accounting_username_bug = no
 	max_sessions = 2048
   }
  Module: Linked to sub-module rlm_eap_md5
  Module: Instantiating eap-md5
  Module: Linked to sub-module rlm_eap_leap
  Module: Instantiating eap-leap
  Module: Linked to sub-module rlm_eap_gtc
  Module: Instantiating eap-gtc
    gtc {
 	challenge = "Password: "
 	auth_type = "PAP"
    }
Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.
  Module: Linked to sub-module rlm_eap_mschapv2
  Module: Instantiating eap-mschapv2
    mschapv2 {
 	with_ntdomain_hack = no
    }
  Module: Checking authorize {...} for more modules to load
  Module: Linked to module rlm_realm
  Module: Instantiating suffix
   realm suffix {
 	format = "suffix"
 	delimiter = "@"
 	ignore_default = no
 	ignore_null = no
   }
  Module: Linked to module rlm_files
  Module: Instantiating files
   files {
 	usersfile = "/usr/etc/raddb/users"
 	acctusersfile = "/usr/etc/raddb/acct_users"
 	preproxy_usersfile = "/usr/etc/raddb/preproxy_users"
 	compat = "no"
   }
  Module: Checking session {...} for more modules to load
  Module: Linked to module rlm_radutmp
  Module: Instantiating radutmp
   radutmp {
 	filename = "/var/log/radius/radutmp"
 	username = "%{User-Name}"
 	case_sensitive = yes
 	check_with_nas = yes
 	perm = 384
 	callerid = yes
   }
  Module: Checking post-proxy {...} for more modules to load
  Module: Checking post-auth {...} for more modules to load
  Module: Linked to module rlm_attr_filter
  Module: Instantiating attr_filter.access_reject
   attr_filter attr_filter.access_reject {
 	attrsfile = "/usr/etc/raddb/attrs.access_reject"
 	key = "%{User-Name}"
   }
  } # modules
} # server
server {
  modules {
  Module: Checking authenticate {...} for more modules to load
  Module: Checking authorize {...} for more modules to load
  Module: Linked to module rlm_preprocess
  Module: Instantiating preprocess
   preprocess {
 	huntgroups = "/usr/etc/raddb/huntgroups"
 	hints = "/usr/etc/raddb/hints"
 	with_ascend_hack = no
 	ascend_channels_per_line = 23
 	with_ntdomain_hack = no
 	with_specialix_jetstream_hack = no
 	with_cisco_vsa_hack = no
 	with_alvarion_vsa_hack = no
   }
  Module: Checking preacct {...} for more modules to load
  Module: Linked to module rlm_acct_unique
  Module: Instantiating acct_unique
   acct_unique {
 	key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NA
S-Port"
   }
  Module: Checking accounting {...} for more modules to load
  Module: Linked to module rlm_detail
  Module: Instantiating detail
   detail {
 	detailfile = 
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
"
 	header = "%t"
 	detailperm = 384
 	dirperm = 493
 	locking = no
 	log_packet_header = no
   }
  Module: Linked to module rlm_ippool
  Module: Instantiating medium_pool
   ippool medium_pool {
 	session-db = "/usr/etc/raddb/db.medium_ippool"
 	ip-index = "/usr/etc/raddb/db.medium_ipindex"
 	key = "%{NAS-IP-Address} %{NAS-Port}"
 	range-start = 172.16.31.101
 	range-stop = 172.16.31.253
 	netmask = 255.255.255.0
 	cache-size = 251
 	override = yes
 	maximum-timeout = 0
   }
  Module: Instantiating super_pool
   ippool super_pool {
 	session-db = "/usr/etc/raddb/db.super_ippool"
 	ip-index = "/usr/etc/raddb/db.super_ipindex"
 	key = "%{NAS-IP-Address} %{NAS-Port}"
 	range-start = 172.16.30.101
 	range-stop = 172.16.30.253
 	netmask = 255.255.255.0
 	cache-size = 251
 	override = yes
 	maximum-timeout = 0
   }
  Module: Instantiating attr_filter.accounting_response
   attr_filter attr_filter.accounting_response {
 	attrsfile = "/usr/etc/raddb/attrs.accounting_response"
 	key = "%{User-Name}"
   }
  Module: Checking session {...} for more modules to load
  Module: Checking post-proxy {...} for more modules to load
  Module: Checking post-auth {...} for more modules to load
  } # modules
} # server
  thread pool {
 	start_servers = 5
 	max_servers = 32
 	min_spare_servers = 3
 	max_spare_servers = 10
 	max_requests_per_server = 300
 	cleanup_delay = 5
 	max_queue_size = 65536
  }
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Thread spawned new child 4. Total threads in pool: 4
Thread spawned new child 5. Total threads in pool: 5
Thread pool initialized
radiusd: #### Opening IP addresses and Ports ####
listen {
 	type = "auth"
 	ipaddr = *
 	port = 1812
Thread 1 waiting to be assigned a request
Thread 2 waiting to be assigned a request
Thread 5 waiting to be assigned a request
Re-wait 1
Thread 4 waiting to be assigned a request
Thread 3 waiting to be assigned a request
}
listen {
 	type = "acct"
 	ipaddr = *
 	port = 0
Re-wait 1
Re-wait 5
Re-wait 4
Re-wait 3
Re-wait 1
Re-wait 2
}
Re-wait 1
Re-wait 4
Re-wait 3
Re-wait 5
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
Threads: total/active/spare threads = 5/0/5
Waking up in 0.9 seconds.
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
[files] users: Matched entry test at line 173
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "DELETED"
[pap] Using CRYPT encryption.
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [test] (from client cisco_pptp port 442)
+- entering group post-auth {...}
[medium_pool] Could not find Pool-Name attribute.
++[medium_pool] returns noop
[super_pool] Could not find Pool-Name attribute.
++[super_pool] returns noop
++[exec] returns noop
Finished request 0.
Going to the next request
Thread 1 waiting to be assigned a request
Waking up in 4.0 seconds.
Cleaning up request 0 ID 102 with timestamp +18
Ready to process requests.

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up at 3.am							    http://3.am
=========================================================================



More information about the Freeradius-Users mailing list