pam_radius and reject_delay

Thu, 03 Apr 2003 07:00:07 -0800 

Hi. Now that the current freeradius snapshot works fine with
my Solaris server, I'm trying to use pam_radius-1.3.15 to authenticate 
access to my imap server.

Because 'reject_delay' is not set to 0, radiusd doesn't answer immediately
when pam_radius sends an Access-Request with a wrong password or username.

If pam_radius is not configured to retry sending queries, then some weird
things happens.

Here is an exemple :

- the user enters a wrong password
- pam_radius sends an Access-Request (id 1) with password WRONGPASS
- radiusd doesn't answer
- after the delay specified in /etc/raddb/server, pam_radius returns
  with PAM_AUTHINFO_UNAVAIL
- the user reenters his password
- pam_radius sends an Access-Request (id 2) with password GOODPASS
- radiusd answers Access-Reject to the pending Access-Request id 1
- pam_radius faultly rejects the authentification once again....

I guess that delaying reject-answers is a good thing, but then every
RADIUS client needs to retry sending requests...

Ok then, I configured pam_radius with retry=1....

But now, anytime a wrong password is sent to radiusd, syslog receives
the following messages :
pam_radius_auth: RADIUS server 127.0.0.1 failed to respond

This message is only due to the fact that the timeout on select()
was reached, so pam_radius had to retry...

Well, perhaps that message should be moved outside of
the select() loop, so it will only be logged when all retries have failed.
It's just a proposition.....

The patch could be something like that :

--- pam_radius_auth.c.orig      Thu Apr  3 16:41:29 2003
+++ pam_radius_auth.c   Thu Apr  3 16:51:11 2003
@@ -807,10 +807,10 @@
 
       /* select timed out */
       if (rcode == 0) {
-       _pam_log(LOG_ERR, "RADIUS server %s failed to respond",
-                server->hostname);
        if (--server_tries)
          goto send;
+     _pam_log(LOG_ERR, "RADIUS server %s failed to respond",
+                server->hostname);
        ok = FALSE;
        break;                  /* exit from the select loop */
       } else if (rcode < 0) {



Nota: in the USAGE file of pam_radius, the 'retry' parameter is said
to be not currently implemented, which is wrong....

-- 
Samuel Degrande           LIFL - UMR 8022 CNRS - Bat M3
Phone: (33)3.20.43.47.38  USTL - Universite de Lille 1
Fax:   (33)3.20.43.65.66  59655 VILLENEUVE D'ASCQ CEDEX - FRANCE

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to