Allow same user to authenticate with different passwords

Taymour Gabr taymourgabr at googlemail.com
Tue Dec 10 14:05:19 CET 2019


Thanks for the feedback!

The manager has very specific requirements about username and password
convention...

We have switched to using the name as password and room number as
username, since the room number is guaranteed to be unique.

As an aside, I'm very curious how other hotels using a captive portal
do their authentication.

On 10/12/2019, Rens Houben via Freeradius-Users
<freeradius-users at lists.freeradius.org> wrote:
> Van: Freeradius-Users
> <freeradius-users-bounces+rhouben=systemec.nl at lists.freeradius.org> namens
> WAGHORN, Jason (NHS BORDERS) via Freeradius-Users
> <freeradius-users at lists.freeradius.org>
> Verzonden: dinsdag 10 december 2019 08:43
> Aan: FreeRadius users mailing list
> CC: WAGHORN, Jason (NHS BORDERS)
> Onderwerp: RE: Allow same user to authenticate with different passwords
>
>>> We are trying to allow users to authenticate with different passwords
>>> using an SQL database and freeradius version 3.0.17 (hotel scenario,
>>> where unrelated people can have the same family name).
>
>>Perhaps I'm being strange here - but a single username with multiple
>> passwords sounds like a security hole to me - in that if johnsmith is
>> logging in twice because there are two "John Smith" users - how do you
>> tell them apart in case of (for example) law enforcement request?
>
>>Surely it's easier/better/simpler just to give everyone a unique login
>> name? Perhaps in your hotel case use room number plus surname? So 317smith
>> & 226smith
>
> From an infosec point of view this is a *terrible* idea, because it would
> allow a stalker or PI who knows the name of your guest to potentially figure
> out what room their target is in by process of elimination.
>
> Use random names and passwords instead.
>
> --Rens.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list