FreeRadius autoreply the access chanllenge
sam
jianxueqd1 at alcatel-lucent.com
Tue May 29 14:42:09 CEST 2012
I setup the pam_radius_auth.so in pam.d/sshd to verify the user using the
remote Radius server.
As the protocol, When used in an Access-Challenge, it MAY indicate a dialog
message to prompt the user for a response. like following flow
1) server sends the access-challenge message with reply-message
YOUR PASSWORD HAS EXPIRED. PLEASE ENTER THE NEW PASSWORD
2) client sedns back the access-Request message.
3) server sends another access-challenge message with reply-message
PLEASE RE-ENTER THE NEW PASSWORD AGAIN FOR VERIFICATION
4) client sedns back the access-Request message again.
I think the message flow is right, but at the point-2 and point-4, the
prompt should be popped and ask us to input the passwd. However, our
freeradius sends the access-Request automatically.
Just checked the code, and not find the problem when doing
access-chanllenge.
the function rad_converse() calls pam_get_item(). I think it is only place
to suspect, can this function pop the prompt? anyone encounter this problem?
/* It's full challenge-response, we should have echo on */
retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, challenge,
&resp2challenge);
+++processing access-chanllenge code+++
while (response->code == PW_ACCESS_CHALLENGE) {
attribute_t *a_state, *a_reply;
char challenge[BUFFER_SIZE];
/* Now we do a bit more work: challenge the user, and get a response
*/
if (((a_state = find_attribute(response, PW_STATE)) == NULL) ||
((a_reply = find_attribute(response, PW_REPLY_MESSAGE)) == NULL))
{
/* Actually, State isn't required. */
_pam_log(LOG_ERR, "RADIUS Access-Challenge received with State or
Reply-Message missing");
retval = PAM_AUTHINFO_UNAVAIL;
goto error;
}
/*
* Security fixes.
*/
if ((a_state->length <= 2) || (a_reply->length <= 2)) {
_pam_log(LOG_ERR, "RADIUS Access-Challenge received with invalid
State or Reply-Message");
retval = PAM_AUTHINFO_UNAVAIL;
goto error;
}
memcpy(challenge, a_reply->data, a_reply->length - 2);
challenge[a_reply->length - 2] = 0;
DPRINT(LOG_DEBUG, "Got Prompt=%s",challenge);
/* It's full challenge-response, we should have echo on */
retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, challenge,
&resp2challenge); <<<<< here
/* now that we've got a response, build a new radius packet */
build_radius_packet(request, user, resp2challenge, &config);
/* request->code is already PW_AUTHENTICATION_REQUEST */
request->id++; /* one up from the request */
/* copy the state over from the servers response */
add_attribute(request, PW_STATE, a_state->data, a_state->length - 2);
retval = talk_radius(&config, request, response, resp2challenge, NULL,
1);
PAM_FAIL_CHECK;
DPRINT(LOG_DEBUG, "Got response to challenge code %d",
response->code);
}
+++code+++
+++log+++
May 28 23:12:13 sshd[20729]: pam_radius_auth: Sending RADIUS request code
1
May 28 23:12:13 sshd[20729]: pam_radius_auth: DEBUG: getservbyname(radius,
udp) returned -745295136.
May 28 23:12:13 sshd[20729]: pam_radius_auth: Got RADIUS response code 11
May 28 23:12:13 sshd[20729]: pam_radius_auth: Got Prompt=YOUR PASSWORD HAS
EXPIRED. PLEASE ENTER THE NEW PASSWORD: <<<< receive rely-message field
May 28 23:12:13 sshd[20729]: pam_radius_auth: Got response to challenge
code 11
May 28 23:12:13 sshd[20729]: pam_radius_auth: Got Prompt=PLEASE RE-ENTER
THE NEW PASSWORD AGAIN FOR VERIFICATION: <<<< receive rely-message field
May 28 23:12:18 sshd[20729]: pam_radius_auth: Got response to challenge
code 3
May 28 23:12:18 sshd[20729]: pam_radius_auth: authentication failed
+++log+++
--
View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-autoreply-the-access-chanllenge-tp5713396.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list