Let say I have a username of "rcanary". The account is created on the radius (MySql DB) as UserName=rcanary
Now lets say I try to dialin (using portslave here in this case). I mistype the username as *R*canary instead of *r*canary. The RAS is case sensitive. However, radius is allowing the Rcanary and rcanary. This results with the user being logged in as "canary" because portslave will drop the "R". If I have two usernames which differ only by the first letter (rcanary and canary) if rcanary user logs in with a capital letter then they will be granted access to the other users files. Other than trying to control username similarity when usernames are created, anyone have an idea how to control this? PS. Since this invloves PortSlave and freeradius and a security problem. I doubled posted this on both mail-list. -- robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
