Garbage password from pam_radius_auth with skip_passwd set
Ilkka Virta
itvirta at iki.fi
Fri Feb 3 15:34:23 CET 2017
I'm using pam_radius_auth with 'skip_passwd' to talk to FreeRADIUS, and
seem to be receiving garbage passwords in the initial request, instead
of the empty password I expected. (USAGE says pam_radius_auth sends a
"NULL" password, but I don't know if it means the User-Password field is
to be zero-length, zero-filled, or nonexisting.)
PAM config:
auth required pam_radius_auth-1.4.0.so debug skip_passwd
The User-Password contained in the initial request appears as
16 random-looking bytes:
> ------------- freeradius -X
> rad_recv: Access-Request packet from host 127.0.0.1 port 41394, id=210, length=72
> User-Name = "user"
> User-Password = "\222\350)\2304Z@ \374\217G>߇<\t"
> ...
>
> rlm_perl: test.pl: RAD_REQUEST: User-Password = '\222\350)\2304Z@ \374\217G>�?<\t'
> rlm_perl: Added pair User-Password = \222\350)\2304Z@ \374\217G>�?<\t
The "rlm_perl: test.pl" line comes from a perl script that just prints
the received values, like example.pl.
If I give an empty response to a password prompt, I get the empty
password as expected:
> ------------- freeradius -X
> rad_recv: Access-Request packet from host 127.0.0.1 port 41394, id=211, length=71
> User-Name = "user"
> User-Password = ""
>
> rlm_perl: test.pl: RAD_REQUEST: User-Password = ''
> rlm_perl: Added pair User-Password =
This works with both the initial password prompt if skip_passwd is not
set, and in replies to any Access-Challenges sent later on.
I don't think this is the expected behaviour given the documentation,
any thoughts?
More information about the Freeradius-Users
mailing list