When mysql is queried for that password aginst that username (regardless of case) it returns a match because MySql isn't case sensitive. Thats something which should be boldly noted in the dos.
Now here is the odd thing I noticed. PPPD logs the the user as "Rcanary" as being logged on, However, utmps and priveldges the user as "canary". I can't get enough debug logging going on the portslave machine to see what happening. If radius is told not to strip the "R" we still have a tiny problem with the mysql circumventing case sensitivity. (well more like something one needs to be aware of). However, MySql will do a STRCMP (String Compare). So I went into the sql.conf file to change the query strings. However, I found that the author had already include the case sensitive query, but it was commented-out. Alan DeKok wrote: > > Robert Canary <[EMAIL PROTECTED]> wrote: > > Now lets say I try to dialin (using portslave here in this case). I > > mistype the username as *R*canary instead of *r*canary. > > The RAS is case sensitive. However, radius is allowing the Rcanary and > > rcanary. > > So run the server in debugging mode, to see which parts of which > configuration files are being used... look at those configuration > files to see what's going on. > > Incidentally, the user name comparison in the 'users' file and in > rlm_sql is case sensitive. > > > This results with the user being logged in as "canary" because > > portslave will drop the "R". > > So configure portslave to NOT drop the "R"... > > > If I have two usernames which differ only by the first letter (rcanary > > and canary) if rcanary user logs in with a capital letter then they will > > be granted access to the other users files. > > So fix your configuration to not do that... > > > Other than trying to control username similarity when usernames are > > created, anyone have an idea how to control this? > > > > PS. Since this invloves PortSlave and freeradius and a security > > problem. I doubled posted this on both mail-list. > > You've either misconfigured portslave, or radiusd. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
