User-Name return glitch in FR 3.0.17?

Stefan Paetow Stefan.Paetow at jisc.ac.uk
Mon Apr 23 18:44:23 CEST 2018


Actually, on second thought, this breaks things worse in the Moonshot world...

:-/

> When I add this block above the 'update { ... }' block in the post-auth section, things work again:
> 
> update reply {
> User-Name !* ANY
> }
> 
> So there's some leakage going on...
> 
>> (7) # Executing section post-auth from file /etc/raddb/sites-enabled/abfab-tr-idp
>> (7)   post-auth {
>> (7)     update {
>> (7)       &reply::Moonshot-Host-TargetedId += &session-state:Moonshot-Host-TargetedId[*] -> '33127397-1bb6-5e95-8859-dfe76acfba67 at idp.test.assent'
>> (7)       &reply::Moonshot-Realm-TargetedId += &session-state:Moonshot-Realm-TargetedId[*] -> 'abd0d71b-7294-5423-86b1-3fae0bd7b33a at idp.test.assent'
>> (7)       &reply::Moonshot-TR-COI-TargetedId += &session-state:Moonshot-TR-COI-TargetedId[*] -> 'b40d0def-5b25-52bd-8d13-e6d22fa24648 at idp.test.assent'
>> (7)       &reply::EAP-Channel-Binding-Message += &session-state:EAP-Channel-Binding-Message[*] -> 0x02002a01a40648545450a524736572766963652e6d6f6f6e73686f742d706c617970656e2e74692e6a612e6e6574
>> (7)       &reply::Reply-Message += &session-state:Reply-Message[*] -> 'Bob has authenticated'
>> (7)       &reply::User-Name += &session-state:User-Name[*] -> 'root'
>> (7)     } # update = noop
>> (7)     [exec] = noop
>> (7)     policy remove_reply_message_if_eap {
>> (7)       if (&reply:EAP-Message && &reply:Reply-Message) {
>> (7)       if (&reply:EAP-Message && &reply:Reply-Message)  -> TRUE
>> (7)       if (&reply:EAP-Message && &reply:Reply-Message)  {
>> (7)         update reply {
>> (7)           &Reply-Message !* ANY
>> (7)         } # update reply = noop
>> (7)       } # if (&reply:EAP-Message && &reply:Reply-Message)  = noop
>> (7)       ... skipping else: Preceding "if" was taken
>> (7)     } # policy remove_reply_message_if_eap = noop
>> (7)   } # post-auth = noop
>> (7) Sent Access-Accept Id 83 from 0.0.0.0:2083 to 13.94.115.212:48186 length 0
>> (7)   MS-MPPE-Recv-Key = 0x1ee8bbd31cd79fd4e98d946e946e1f976b7aaebd6e5412b4bab51b2e2d784c9c
>> (7)   MS-MPPE-Send-Key = 0x4de6d0ddcf7a725afc0a7e4b7fb2478b5c59a76ac5689342d33fbcdb4787f2c7
>> (7)   EAP-Message = 0x03070004
>> (7)   Message-Authenticator = 0x00000000000000000000000000000000
>> (7)   User-Name = "@idp.test.assent"
>> (7)   Proxy-State = 0x30
>> (7)   Moonshot-Host-TargetedId += "33127397-1bb6-5e95-8859-dfe76acfba67 at idp.test.assent"
>> (7)   Moonshot-Realm-TargetedId += "abd0d71b-7294-5423-86b1-3fae0bd7b33a at idp.test.assent"
>> (7)   Moonshot-TR-COI-TargetedId += "b40d0def-5b25-52bd-8d13-e6d22fa24648 at idp.test.assent"
>> (7)   EAP-Channel-Binding-Message += 0x02002a01a40648545450a524736572766963652e6d6f6f6e73686f742d706c617970656e2e74692e6a612e6e6574
>> (7)   User-Name += "root"
>> (7) Finished request
>> Thread 3 waiting to be assigned a request
>> Waking up in 4.2 seconds.
>> (0) Cleaning up request packet ID 222 with timestamp +5
>> (1) Cleaning up request packet ID 207 with timestamp +5
>> (2) Cleaning up request packet ID 84 with timestamp +5
>> (3) Cleaning up request packet ID 66 with timestamp +5
>> (4) Cleaning up request packet ID 35 with timestamp +5
>> Closing TLS socket from client port 48186
>> (0) >>> send TLS 1.2  [length 0002]
>> Client has closed connection
>> (5) Cleaning up request packet ID 183 with timestamp +5
>> (6) Cleaning up request packet ID 189 with timestamp +5
>> ... shutting down socket auth from client (13.94.115.212, 48186) -> (*, 2083, virtual-server=abfab-idp)
>> (7) Cleaning up request packet ID 83 with timestamp +5
>> Waking up in 2.9 seconds.
>> ... cleaning up socket auth from client (13.94.115.212, 48186) -> (*, 2083, virtual-server=abfab-idp)
>> Ready to process requests
>> 
>> -- log ends --
>> 
>> :-/
>> 
>> Stefan Paetow
>> Consultant, Trust and Identity
>> 
>> t: +44 (0)1235 822 125
>> gpg: 0x3FCE5142
>> xmpp: stefanp at jabber.dev.ja.net
>> skype: stefan.paetow.janet
>> 
>> jisc.ac.uk
>> 
>> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> Stefan Paetow
> Consultant, Trust and Identity
> 
> t: +44 (0)1235 822 125
> gpg: 0x3FCE5142
> xmpp: stefanp at jabber.dev.ja.net
> skype: stefan.paetow.janet
> 
> jisc.ac.uk
> 
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Stefan Paetow
Consultant, Trust and Identity

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 529 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180423/c117abec/attachment-0001.sig>


More information about the Freeradius-Users mailing list