Hi
I want to disable login users with empty passwords
So, the entry in my "users" file is:
---------------------------------
DEFAULT User-Password !~ "^$"
Framed-MTU = 576,
Acct-Interim-Interval := 60
DEFAULT Auth-Type := Reject
Reply-Message = "Unknown user subscription type"
---------------------------------
And I expected Access-Reject with reply message.
Instead I got Access-Reject but for another reason - Incorrect password
(see debugging output below).
Password is not empty and stored in MySQL database as clear text.
Same result I saw when used simple (not regular) expression:
----------------------------------------
DEFAULT User-Password != ""
Framed-MTU = 576,
Acct-Interim-Interval := 60
DEFAULT Auth-Type := Reject
Reply-Message = "Unknown user subscription type"
---------------------------------------
1) If I remove this check from users file, the user can log in successfuly.
2) Regular expression for User-Name is working well, e.g.
DEFAULT User-Name =~ "^[-_[:alnum:]]+$", NAS-Port-Type == Ethernet
Framed-MTU = 576,
Acct-Interim-Interval := 60
It seems to me that the Value of User-Password is broken during check and
not
equal to Value taken from database.
My questions is: Is User-Password handled in the same way as another
attributes in
"user" file OR not ? How to disable users with empty passwords ?
PS: The problem occured with versions 1.0.1 and 1.0.5
My backend - MySQL with standard radius database. OS - Redhat 9.x, i386.
Debugging output of "radiusd -X" looks like this:
---------------------------------
rad_recv: Access-Request packet from host 127.0.0.1:1112, id=47, length=65
User-Name = "cftest"
User-Password = "1234567890"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = "r9999"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20060824'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/127.0.0.1/auth-detail-20060824
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "cftest", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched entry DEFAULT at line 14
modcall[authorize]: module "files" returns ok for request 0
radius_xlat: 'cftest'
rlm_sql (sql): sql_set_user escaped user --> 'cftest'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username=(SELECT distinct username FROM usergroup WHERE groupname&(SELECT
regionid FROM regionslist WHERE routerid='r9999') AND username='cftest')
ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: num_fields 5
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'cftest' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: num_fields 5
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'cftest' ORDER BY id'
rlm_sql_mysql: num_fields 5
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'cftest' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: num_fields 5
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 0
modcall: group authorize returns ok for request 0
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
--
regards,
Vladimir
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
