When using DOUBLE_QUOTED_STRING, passwords with '\"' may not work
Gerald Vogt
vogt at spamcop.net
Wed Sep 13 15:07:54 UTC 2023
On 13.09.23 16:06, Alan DeKok wrote:
> On Sep 13, 2023, at 8:00 AM, g4-lisz at tonarchiv.ch wrote:
>> but he's right! The behavior is really not as one would expect. At least different from a shell and C:
>>
>> "some\word" in config => some\word
>> "some\\word" in config => some\\word
>
> As I posted earlier, I don't see that when I do the same tests.
>
> So either you're running a very old / buggy version, or something else is going on.
I can confirm this on AlmaLinux 9.2, latest updates, running
freeradius-3.2.3-1.el9.x86_64 from the official repo.
I change the password in mods-available/ldap:
password = "some\\\"word"
which should match the password some\"word
I start tcpdump to capture the packets between the test machine and the
ldap server. When I start radiusd it fails, which is correct, because I
didn't change the password of my ldap server.
Checking the capture with wireshark I can see the following password
authentication: simple (0)
simple: some\\"word
hex dump: 0000 73 6f 6d 65 5c 5c 22 77 6f 72 64
So there are really two backslashes followed by the ".
Now, of course, the question is how the ldap server interprets this
text. It's my understanding, the LDAPv3 RFC4511 says it's utf-8 and if I
am not mistaken, "\\" does not bear any special meaning, so it should
really be interpreted as password some\\"word
I don't have AD, thus I didn't test further...
-Gerald
More information about the Freeradius-Users
mailing list