Masquerading MSCHAPv2 User-Name?
David Herselman
dhe at syrex.co
Sat Feb 20 08:23:26 CET 2021
Hi,
On a related note, it occurred to me that I should most probably be sanitising incoming attributes? If the request arrived with sAMAccountName it would then override what I'm setting...
Or is it safe, in that there's little point in trying to scrub this if the initiator of the request is compromised?
In reference to:
update request {FreeRADIUS-Client-Shortname = "%{Client-Shortname}"}
if (User-Name =~ /^cccccct00001[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "davidh"}}
if (User-Name =~ /^cccccct00002[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "philipo"}}
if (&sAMAccountName) {
update request {Yubikey-OTP = "%{User-Name}"}
update control {Auth-Type := "YubiCHAP"}
}
Regards
David Herselman
More information about the Freeradius-Users
mailing list