When using DOUBLE_QUOTED_STRING, passwords with '\"' may not work

Gerald Vogt vogt at spamcop.net
Wed Sep 13 15:07:54 UTC 2023

On 13.09.23 16:06, Alan DeKok wrote:
> On Sep 13, 2023, at 8:00 AM, g4-lisz at tonarchiv.ch wrote:
>> but he's right! The behavior is really not as one would expect. At least different from a shell and C:
>> "some\word" in config => some\word
>> "some\\word" in config => some\\word
>    As I posted earlier, I don't see that when I do the same tests.
>    So either you're running a very old / buggy version, or something else is going on.

I can confirm this on AlmaLinux 9.2, latest updates, running 
freeradius-3.2.3-1.el9.x86_64 from the official repo.

I change the password in mods-available/ldap:

	password = "some\\\"word"

which should match the password some\"word

I start tcpdump to capture the packets between the test machine and the 
ldap server. When I start radiusd it fails, which is correct, because I 
didn't change the password of my ldap server.

Checking the capture with wireshark I can see the following password

  authentication: simple (0)
      simple: some\\"word

hex dump: 0000   73 6f 6d 65 5c 5c 22 77 6f 72 64

So there are really two backslashes followed by the ".

Now, of course, the question is how the ldap server interprets this 
text. It's my understanding, the LDAPv3 RFC4511 says it's utf-8 and if I 
am not mistaken, "\\" does not bear any special meaning, so it should 
really be interpreted as password some\\"word

I don't have AD, thus I didn't test further...


More information about the Freeradius-Users mailing list