NULL password
Dom Latter
freeradius-users at latter.org
Tue Sep 4 14:10:37 CEST 2018
On 31/08/18 17:37, Alan DeKok wrote:
>
>> On Aug 31, 2018, at 12:12 PM, Dom Latter <freeradius-users at latter.org> wrote:
>>
>> Forgive me if this seems too stupid to ask but I must be 100% sure of
>> this - if Cleartext-Password is set to NULL in radcheck then this
>> is equivalent to disabling the account?
>
> It will let them log in using "NULL" as the password.
Really? That's a database NULL not a string containing those four
letters..
The query returns a Cleartext-Password value of NULL. Debug output
subsequently returns:
(115) Tue Sep 4 12:54:21 2018: Debug: sql: User found in radcheck table
(115) Tue Sep 4 12:54:21 2018: Debug: sql: Conditional check items
matched, merging assignment check items
(115) Tue Sep 4 12:54:21 2018: Debug: sql: Cleartext-Password := ""
Is it possible to authenticate with an empty password string in any way?
MSCHAPv2 is the backend.
I have been trying to test this both with a real device and with tools,
and although it seems a blank password gets rejected I would like to
know...
> It's better to just remove the Cleartext-Password attribute from the database.
Not really an option.
We are using encrypted passwords [1] which are decrypted before being
passed to freeradius. When new users are created they are sent a link
which enables them to set a new password. Before this is used we'd like
to have a placeholder value something like "not set yet". As this is
not decryptable the query returns a NULL value.
[1] So that it can be said that passwords are encrypted.
More information about the Freeradius-Users
mailing list