Re: reject auth after exec

Thu, 20 Nov 2003 12:25:27 -0800 

From: "Rob Genovesi" <[EMAIL PROTECTED]>
<left out>
> In this case getstatus was a simple shell script that did nothing but exit
> 255.  I would prefer to exit with a valid radius response including a
> Reply-Message.
<left out>

Hi,

I had some issues with external programs also with FreeRadius 0.9.0.

Mind that the following is regarding FreeRadius 0.9.0!!!

Regarding exit codes:
0 = accept
1 = reject
Basic on this, I guess that any negative exit code indicates an error, any
positive exit code a reject and 0 an accept.
Here's some Perl code that I used to reject the user:
sub auth_reject {
 my ($message) = @_;
 print "Reply-Message = \"$message\"\n";
 exit 1;
}

Regarding the Reply-Message:
I patched the source.

### PATCH 1 ###
--- src/main/auth.c.orig 2003-08-27 15:57:17.000000000 +0200
+++ src/main/auth.c 2003-08-27 16:02:34.000000000 +0200
@@ -805,15 +805,18 @@
     * had a non-zero exit status.
     */
    if (umsg[0] == '\0') {
-    user_msg = "\r\nAccess denied (external check failed).";
+    /* Don't tell NAS that auth failed by external check */
+    user_msg = NULL;
    } else {
     user_msg = &umsg[0];
    }

    request->reply->code = PW_AUTHENTICATION_REJECT;
-   tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
-
-   pairadd(&request->reply->vps, tmp);
+   /* Only add reply-message when one is available */
+   if (user_msg != NULL) {
+    tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
+    pairadd(&request->reply->vps, tmp);
+   }
    rad_authlog("Login incorrect (external check failed)",
      request, 0);


### PATCH 2 ###
--- src/main/auth.c.orig 2003-08-27 15:57:17.000000000 +0200
+++ src/main/auth.c 2003-08-27 15:57:58.000000000 +0200
@@ -815,7 +815,8 @@

    pairadd(&request->reply->vps, tmp);
    rad_authlog("Login incorrect (external check failed)",
-     request, 0);
+     /* Log attributes of reject packets */
+     request, 1);

    return RLM_MODULE_REJECT;
   }


Regards,

Thor.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to