Allow same user to authenticate with different passwords

Rens Houben rhouben at systemec.nl
Tue Dec 10 09:28:53 CET 2019


Van: Freeradius-Users <freeradius-users-bounces+rhouben=systemec.nl at lists.freeradius.org> namens WAGHORN, Jason (NHS BORDERS) via Freeradius-Users <freeradius-users at lists.freeradius.org>
Verzonden: dinsdag 10 december 2019 08:43
Aan: FreeRadius users mailing list
CC: WAGHORN, Jason (NHS BORDERS)
Onderwerp: RE: Allow same user to authenticate with different passwords

>> We are trying to allow users to authenticate with different passwords using an SQL database and freeradius version 3.0.17 (hotel scenario, where unrelated people can have the same family name).

>Perhaps I'm being strange here - but a single username with multiple passwords sounds like a security hole to me - in that if johnsmith is logging in twice because there are two "John Smith" users - how do you tell them apart in case of (for example) law enforcement request?

>Surely it's easier/better/simpler just to give everyone a unique login name? Perhaps in your hotel case use room number plus surname? So 317smith & 226smith

>From an infosec point of view this is a *terrible* idea, because it would allow a stalker or PI who knows the name of your guest to potentially figure out what room their target is in by process of elimination.

Use random names and passwords instead.

--Rens.


More information about the Freeradius-Users mailing list