users file rejex

Phil Mayers p.mayers at imperial.ac.uk
Tue Apr 17 14:41:15 CEST 2012 

On 17/04/12 12:48, DaveA wrote:
> Hello,
>
> I would like to default reject users who have a "/" or "\" in their
> username. Often users will misconfigure their machines and Windows will send
> the host\username, which will never be a valid login here.

Do you mean thing like:

MY-PC\otherwisevalidusername

...or things like:

host/name.domain.com

i.e. the first 4 characters are actually "h", "o", "s", "t"?

>
> Where is the best place to do this? I have tried to put this in the users
> file, but I may not have the correct regex:
>
> DEFAULT User-Name =~ /[0-9a-zA-Z\/\\]+/, Auth-Type := Reject

Do you really want to reject any user whose User-Name contains a letter 
or number? Because that's what this regexp says.

>
> My match cases are:
>
> host\username
> host\\username
> host/username
> host //username
>
> I do not want to sanitize these for the users.

Why? It makes your life hard, and your users lives hard, to reject names 
with a clearly valid intent.

Still, your decision, feel free to use time as you see fit ;o)

Anyway, your regex is indeed wrong. In the "users" file, you need:

DEFAULT	User-Name =~ "THEREGEX"

THEREGEX must have double-escaped \ - first, escape the \ for the regex 
parser, next, escape the \ for the "users" file parser.

i.e. if you want to match "a\b" you need a regexp:

a\\b

...therefore you need to write:

DEFAULT	User-Name =~ "a\\\\b"

"/" is not a special character in "users"-file regexps, so can just be 
left as-is.

So:

DEFAULT	User-Name =~ "^.+\\\\\\\\", Auth-Type := Reject
DEFAULT	User-Name =~ "^.+\\\\", Auth-Type := Reject
DEFAULT	User-Name =~ "^.+//", Auth-Type := Reject
DEFAULT	User-Name =~ "^.+/", Auth-Type := Reject

Note for the archives - if you want to do this in "unlang", the syntax 
is different. You do NOT need to double-escape the "\", but DO need to 
escape the "/". Figuring this out is left as an exercise for the reader.

One final note - it would be REALLY handy if FR regexp engine let you 
choose an alternate delimiter like some programs e.g.

  if (User-Name =~ #theregex#) {
    ...
  }

...to avoid leaning toothpick syndrome. Maybe I will work up a patch.

More information about the Freeradius-Users mailing list