Client Secret with Backslash

Wingard, Nathaniel (Chapin) Nathaniel.Wingard at Fiserv.com
Tue Feb 19 21:58:15 CET 2019


While I agree that it is far easier to avoid special characters, I think following the documented rules for escaping strings will prevent issues in the long run. I know it would have saved me a few hours of testing.

Thanks,
Nathaniel

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+nathaniel.wingard=fiserv.com at lists.freeradius.org] On Behalf Of Peter Lambrechtsen
Sent: Tuesday, February 19, 2019 3:13 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Client Secret with Backslash

Wouldn't it just be easier to NOT use backslashes or other reserved
characters (like %, $) in secrets?

To me it sounds like a terrible idea and going to break things down the
track when an upgrade occurs and the hacky code to make it works for some
reason gets removed in either FreeRadius or a firmware update on the NAS
and for some odd reason the secret doesn't work anymore.

A 20+ character random string with upper,lower and numbers is *plenty*
strong enough for a shared secret in my view so why the desire to overly
complicate it with reserved / special characters.

On Wed, Feb 20, 2019 at 2:17 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Feb 18, 2019, at 10:41 PM, Wingard, Nathaniel (Chapin)
> <Nathaniel.Wingard at Fiserv.com> wrote:
> >
> > I've been trying to set a client secret with a trailing backslash and
> find myself confused by the results. I am running the Debian 9 provided
> freeradius 3.0.12 (freeradius-3.0.12+dfsg-5+deb9u1).
>
>   Well, there *is* 3.0.17 available.  3.0.12 is 3 years old at this point.
>
> > Secret I want:
> > asdf\
> >
> > Attempts (failures):
> > secret = asdf\
> > - Results in config parsing error
>
>   As it should.  You can't put bare back-slashes into a file, or at the
> end of a line.
>
> > secret = asdf\\
> > - Results in config parsing error
>
>   Yes, because the parser creates unquoted strings as simple words, and
> doesn't do escaping.
>
> > secret = 'asdf\'
> > - Results in config parsing error
> > secret = "asdf\"
> > - Results in config parsing error
>
>   As it should.  You can't put backslashes at the end of a string.
>
> > secret = 'asdf\\'
> > - Results: asdf\\
> > secret = "asdf\\"
> > - Results: asdf\\
>
>   It looks like this isn't handled correctly in v3.  There are various
> technical reasons, but it should work.
>
>   I'll see if I can fix this before 3.0.18 is released.
>
> > Attempts (successes?)
> > secret = "as\df"
> > - Results: as\df
> > secret = "as\\df"
> > - Results: as\\df
>
>   Except that's likely wrong, too.  String escaping should do string
> escaping the same way everywhere.
>
> > I expected the last of my failures to work per
> https://networkradius.com/doc/3.0.10/unlang/data_single.html but it seems
> only \' is treated as an escape sequence in the client secret. Is there any
> way to have a client secret with a trailing backslash, and as an extension,
> can I have the string literal \' in my secret?
>
>   I'll see what I can do.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list