User name case insensitivity - revisited

Luveh Keraph 1.41421 at gmail.com
Sat Jun 11 18:21:46 UTC 2022 

I thought I had grasped what is involved in making FreeRADIUS 3.0.* to
process user names in a case-insensitive way, but I am not so sure now.
Here is what I have done:

First, I added the following line in my /etc/raddb/mods-enabled/files:

    key = "%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}"

I launched my FreeRADIUS server after ths.

I have the following entry in my /etc/raddb/users file:

ijk_user1 User-Password != "IJKpassword1"
ijk_user1 Cleartext-Password := "IJKpassword1"

With this, when I try to ssh as IJK_User1 (notice the mixed case) into a
system that turns over authentication to my FreeRADIUS server, I get the
following debugging information at this server:

Sat Jun 11 11:02:25 2022 : Debug: (0) files: EXPAND
%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}
Sat Jun 11 11:02:25 2022 : Debug: (0) files:    --> ijk_user1
Sat Jun 11 11:02:25 2022 : Debug: (0) files: users: Matched entry ijk_user1
at line 447
Sat Jun 11 11:02:25 2022 : Debug: (0)     modsingle[authorize]: returned
from files (rlm_files)
Sat Jun 11 11:02:25 2022 : Debug: (0)     [files] = ok
Sat Jun 11 11:02:25 2022 : Debug: (0)     modsingle[authorize]: calling
expiration (rlm_expiration)
Sat Jun 11 11:02:25 2022 : Debug: (0)     modsingle[authorize]: returned
from expiration (rlm_expiration)
Sat Jun 11 11:02:25 2022 : Debug: (0)     [expiration] = noop
Sat Jun 11 11:02:25 2022 : Debug: (0)     modsingle[authorize]: calling
logintime (rlm_logintime)
Sat Jun 11 11:02:25 2022 : Debug: (0)     modsingle[authorize]: returned
from logintime (rlm_logintime)
Sat Jun 11 11:02:25 2022 : Debug: (0)     [logintime] = noop
Sat Jun 11 11:02:25 2022 : Debug: (0)     modsingle[authorize]: calling pap
(rlm_pap)
Sat Jun 11 11:02:25 2022 : Debug: (0)     modsingle[authorize]: returned
from pap (rlm_pap)
Sat Jun 11 11:02:25 2022 : Debug: (0)     [pap] = updated
Sat Jun 11 11:02:25 2022 : Debug: (0)   } # authorize = updated
Sat Jun 11 11:02:25 2022 : Debug: (0) Found Auth-Type = PAP
Sat Jun 11 11:02:25 2022 : Debug: (0) # Executing group from file
/etc/raddb/sites-enabled/default
Sat Jun 11 11:02:25 2022 : Debug: (0)   Auth-Type PAP {
Sat Jun 11 11:02:25 2022 : Debug: (0)     modsingle[authenticate]: calling
pap (rlm_pap)
Sat Jun 11 11:02:25 2022 : Debug: (0) pap: Login attempt with password
"IJKpassword1" (12)
Sat Jun 11 11:02:25 2022 : Debug: (0) pap: Comparing with "known good"
Cleartext-Password "IJKpassword1" (12)
Sat Jun 11 11:02:25 2022 : Debug: (0) pap: User authenticated successfully
Sat Jun 11 11:02:25 2022 : Debug: (0)     modsingle[authenticate]: returned
from pap (rlm_pap)
Sat Jun 11 11:02:25 2022 : Debug: (0)     [pap] = ok
Sat Jun 11 11:02:25 2022 : Debug: (0)   } # Auth-Type PAP = ok
Sat Jun 11 11:02:25 2022 : Debug: (0) # Executing section post-auth from
file /etc/raddb/sites-enabled/default
Sat Jun 11 11:02:25 2022 : Debug: (0)   post-auth {
Sat Jun 11 11:02:25 2022 : Debug: (0)     if (session-state:User-Name &&
reply:User-Name && request:User-Name && (reply:User-Name ==
request:User-Name)) {
Sat Jun 11 11:02:25 2022 : Debug: (0)     if (session-state:User-Name &&
reply:User-Name && request:User-Name && (reply:User-Name ==
request:User-Name))  -> FALSE
Sat Jun 11 11:02:25 2022 : Debug: (0)     update {
Sat Jun 11 11:02:25 2022 : Debug: (0)       No attributes updated for RHS
&session-state:
Sat Jun 11 11:02:25 2022 : Debug: (0)     } # update = noop
Sat Jun 11 11:02:25 2022 : Debug: (0)     modsingle[post-auth]: calling
exec (rlm_exec)
Sat Jun 11 11:02:25 2022 : Debug: (0)     modsingle[post-auth]: returned
from exec (rlm_exec)
Sat Jun 11 11:02:25 2022 : Debug: (0)     [exec] = noop
Sat Jun 11 11:02:25 2022 : Debug: (0)     policy
remove_reply_message_if_eap {
Sat Jun 11 11:02:25 2022 : Debug: (0)       if (&reply:EAP-Message &&
&reply:Reply-Message) {
Sat Jun 11 11:02:25 2022 : Debug: (0)       if (&reply:EAP-Message &&
&reply:Reply-Message)  -> FALSE
Sat Jun 11 11:02:25 2022 : Debug: (0)       else {
Sat Jun 11 11:02:25 2022 : Debug: (0)         modsingle[post-auth]: calling
noop (rlm_always)
Sat Jun 11 11:02:25 2022 : Debug: (0)         modsingle[post-auth]:
returned from noop (rlm_always)
Sat Jun 11 11:02:25 2022 : Debug: (0)         [noop] = noop
Sat Jun 11 11:02:25 2022 : Debug: (0)       } # else = noop
Sat Jun 11 11:02:25 2022 : Debug: (0)     } # policy
remove_reply_message_if_eap = noop
Sat Jun 11 11:02:25 2022 : Debug: (0)   } # post-auth = noop
Sat Jun 11 11:02:25 2022 : Debug: (0) Sent Access-Accept Id 64 from
192.168.0.55.
23:1812 to 192.168.0.66:60600 length 0

Which is fine: the user name gets converted from IJK_User1 to ijk_user1 and
the authentication with password IJKpassword1 succeeds, as expected.

I then changed  the relevant entry in my /etc/raddb/users file as follows:

IJK_User1 User-Password != "IJKpassword1"
IJK_User1 Cleartext-Password := "IJKpassword1"

After restarting the FreeRADIUS server I attempted the same log in as
before. This is what I got in my traces:

Sat Jun 11 11:48:54 2022 : Debug: (0) files: EXPAND
%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}
Sat Jun 11 11:48:54 2022 : Debug: (0) files:    --> ijk_user1
Sat Jun 11 11:48:54 2022 : Debug: (0)     modsingle[authorize]: returned
from files (rlm_files)
Sat Jun 11 11:48:54 2022 : Debug: (0)     [files] = noop
Sat Jun 11 11:48:54 2022 : Debug: (0)     modsingle[authorize]: calling
expiration (rlm_expiration)
Sat Jun 11 11:48:54 2022 : Debug: (0)     modsingle[authorize]: returned
from expiration (rlm_expiration)
Sat Jun 11 11:48:54 2022 : Debug: (0)     [expiration] = noop
Sat Jun 11 11:48:54 2022 : Debug: (0)     modsingle[authorize]: calling
logintime (rlm_logintime)
Sat Jun 11 11:48:54 2022 : Debug: (0)     modsingle[authorize]: returned
from logintime (rlm_logintime)
Sat Jun 11 11:48:54 2022 : Debug: (0)     [logintime] = noop
Sat Jun 11 11:48:54 2022 : Debug: (0)     modsingle[authorize]: calling pap
(rlm_pap)
Sat Jun 11 11:48:54 2022 : WARNING: (0) pap: No "known good" password found
for the user.  Not setting Auth-Type
Sat Jun 11 11:48:54 2022 : WARNING: (0) pap: Authentication will
fail unless a "known good" password is available
Sat Jun 11 11:48:54 2022 : Debug: (0)     modsingle[authorize]: returned
from pap (rlm_pap)
Sat Jun 11 11:48:54 2022 : Debug: (0)     [pap] = noop
Sat Jun 11 11:48:54 2022 : Debug: (0)   } # authorize = ok
Sat Jun 11 11:48:54 2022 : ERROR: (0) No Auth-Type found: rejecting the
user via Post-Auth-Type = Reject
Sat Jun 11 11:48:54 2022 : Debug: (0) Failed to authenticate the user
Sat Jun 11 11:48:54 2022 : Debug: (0) Using Post-Auth-Type Reject

If I understand things correctly, the key = ... line that I added to the
files file does indeed recast the incoming user name to lowercase. However,
the FreeRADIUS server still compares incoming user names against those in
the users file in a case sensitive way.  This is fine, but not quite what I
was looking for.

Is it possible to get FreeRADIUS to compare user names (and user
names alone - not passwords)  in a real case-insensitive way against those
in the /etc/raddb/users file?

More information about the Freeradius-Users mailing list