Client Secret with Backslash
Peter Lambrechtsen
peter at crypt.nz
Tue Feb 19 21:13:20 CET 2019
Wouldn't it just be easier to NOT use backslashes or other reserved
characters (like %, $) in secrets?
To me it sounds like a terrible idea and going to break things down the
track when an upgrade occurs and the hacky code to make it works for some
reason gets removed in either FreeRadius or a firmware update on the NAS
and for some odd reason the secret doesn't work anymore.
A 20+ character random string with upper,lower and numbers is *plenty*
strong enough for a shared secret in my view so why the desire to overly
complicate it with reserved / special characters.
On Wed, Feb 20, 2019 at 2:17 AM Alan DeKok <aland at deployingradius.com>
wrote:
> On Feb 18, 2019, at 10:41 PM, Wingard, Nathaniel (Chapin)
> <Nathaniel.Wingard at Fiserv.com> wrote:
> >
> > I've been trying to set a client secret with a trailing backslash and
> find myself confused by the results. I am running the Debian 9 provided
> freeradius 3.0.12 (freeradius-3.0.12+dfsg-5+deb9u1).
>
> Well, there *is* 3.0.17 available. 3.0.12 is 3 years old at this point.
>
> > Secret I want:
> > asdf\
> >
> > Attempts (failures):
> > secret = asdf\
> > - Results in config parsing error
>
> As it should. You can't put bare back-slashes into a file, or at the
> end of a line.
>
> > secret = asdf\\
> > - Results in config parsing error
>
> Yes, because the parser creates unquoted strings as simple words, and
> doesn't do escaping.
>
> > secret = 'asdf\'
> > - Results in config parsing error
> > secret = "asdf\"
> > - Results in config parsing error
>
> As it should. You can't put backslashes at the end of a string.
>
> > secret = 'asdf\\'
> > - Results: asdf\\
> > secret = "asdf\\"
> > - Results: asdf\\
>
> It looks like this isn't handled correctly in v3. There are various
> technical reasons, but it should work.
>
> I'll see if I can fix this before 3.0.18 is released.
>
> > Attempts (successes?)
> > secret = "as\df"
> > - Results: as\df
> > secret = "as\\df"
> > - Results: as\\df
>
> Except that's likely wrong, too. String escaping should do string
> escaping the same way everywhere.
>
> > I expected the last of my failures to work per
> https://networkradius.com/doc/3.0.10/unlang/data_single.html but it seems
> only \' is treated as an escape sequence in the client secret. Is there any
> way to have a client secret with a trailing backslash, and as an extension,
> can I have the string literal \' in my secret?
>
> I'll see what I can do.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list