Non-ascii username and linelog
Jean-Marc TÊTU
jm.tetu at telecom-bretagne.eu
Tue Jun 7 11:32:35 CEST 2016
Hello,
First : sorry for my very bad English...
We run a Freeradius 3.0.11 on an ubuntu 14.04.
And il seems that one of our students find the way to put KO our server.
He tries to authenticate with a user-name in non ASCII and freeradius crash on the write ( in linelog module ) of %{User-Name}
linelog {
....
messages {
default = "Unknown packet type %{Packet-Type}"
Access-Accept = "%D:%H:%G : Accept : %{User-Name} : %{Calling-Station-Id} : %{NAS-IP-Address} : %{Called-Station-Id}"
Access-Reject = "%D:%H:%G : Reject : %{User-Name} : %{Calling-Station-Id} : %{NAS-IP-Address} : %{Called-Station-Id}"
}
...
}
The user-name seem to be a UTF-8 Unicode text.
I isolate the guilty string in a file (wke) :
hexdump -C wke
00000000 ef bd 97 ef bd 8b ef bd 85 0a |..........|
0000000a
cat wke
wke
I reproduce the problem with the initial example of configuration for freeradius modified for use of linelog (in post-auth section) , the (partial) result of radiusd -X :
Ready to process requests
(1) Received Access-Request Id 34 from 127.0.0.1:43956 to 127.0.0.1:1812 length 79
(1) User-Name = "wke"
(1) User-Password = "hello"
(1) NAS-IP-Address = 127.0.1.1
(1) NAS-Port = 0
(1) Message-Authenticator = 0x6bbba1a108aee843ee5c78a8efcf4788
(1) # Executing section authorize from file /usr/local/FR3011/etc/raddb//sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (!&User-Name) {
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ ) {
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "wke", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password is available
(1) [pap] = noop
(1) } # authorize = ok
(1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/FR3011/etc/raddb//sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(1) linelog: --> messages.Access-Reject
(1) linelog: EXPAND /usr/local/FR3011/var/log/radius/linelog
(1) linelog: --> /usr/local/FR3011/var/log/radius/linelog
with this configuration :
# Loading module "linelog" from file /usr/local/FR3011/etc/raddb//mods-enabled/linelog
linelog {
filename = "/usr/local/FR3011/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
If somebody have an idea....
And thanks to have read this very long text (in an incorrect english).....
--
--
Cordialement,
Jean-Marc Têtu
--------------------------------------------------------------
Jean-Marc Têtu, Direction Informatique et Système d'Information
Tel : 02 29 00 10 87, Email: jm.tetu at telecom-bretagne.eu
Institut Mines-Télécom - TELECOM Bretagne
Pointe du Diable
CS 83818
29238 BREST CEDEX 3
--------------------------------------------------------------
More information about the Freeradius-Users
mailing list