Masquerading MSCHAPv2 User-Name?

David Herselman dhe at
Sat Feb 20 08:23:26 CET 2021


On a related note, it occurred to me that I should most probably be sanitising incoming attributes? If the request arrived with sAMAccountName it would then override what I'm setting...

Or is it safe, in that there's little point in trying to scrub this if the initiator of the request is compromised?

In reference to:
    update request {FreeRADIUS-Client-Shortname = "%{Client-Shortname}"}
    if (User-Name =~ /^cccccct00001[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "davidh"}}
    if (User-Name =~ /^cccccct00002[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "philipo"}}
    if (&sAMAccountName) {
        update request {Yubikey-OTP = "%{User-Name}"}
        update control {Auth-Type := "YubiCHAP"}

David Herselman

More information about the Freeradius-Users mailing list