Alan DeKok <[email protected]> wrote: > > Alexander Clouter wrote: >> Okay, maybe my regex is bad...so I tested it: >> ---- >> a...@berk:~$ cat moo >> [email protected] >> xwfmnc02qnabzlq9wi9...@globalsign Root CA >> [email protected] >> [email protected] >> >> a...@berk:~$ grep '[[:graph:]...@\([-[:alnum:]]\+\.\)\+[[:alpha:]]\{2,\}' moo >> [email protected] >> [email protected] >> [email protected] >> ---- >> >> Any ideas? Bug? Feature? > > FreeRADIUS uses the system regex libraries. grep might be using its > own regex implementation. > > Specifically, I'm not sure [[:alpha:]] and friends are supported by > the system regex library. > grep implies it does in the man page, and I am using the *basic* regex mode too.
I got those :alpha:-n-chums actually working and tested them with a bunch of test cases; they definitely seem to be doing what I would expect...well unless the realm has a space in it :) Ignoring the 'space', the fact that there is not '.' in the Globalsign realms should have caused it to be rejected, which to me rules out the 'alnum'/'alpha' bits surely? > I would suggest writing the rules to sanitize realms in layers: > > - reject requests containing malformed User-Names (spaces, etc.) > - proxy *known* realms to another virtual server to handle them > - proxy *other* realms to eduroam. > I already do that, it's the malformed and non-routable (EAP-SIM-esque realms) realm's that are the problem. > Eduroam should really be creating a routing protocol for RADIUS. I > don't think it would be hard: git + ssh + text files. See Section 2.7 > of: > > http://tools.ietf.org/id/draft-dekok-radext-nai-00.txt > I never understood why eduroam just didn't use SRV records against the realm to find the RADIUS server and a DNS based whitelist to validate which realms were part of the community. :-/ For that tiny amount of effort you get to remove those darn proxy servers and more reliability (large TTL's on realm whitelist), plus when DNSSEC gets rolled out to .ac.uk and where ever...you get that for free too. The only complication I can see is the Message-Authenticator I think, however I would imagine the .ac.uk community can dig into the sofa for some loose change to hire some FreeRADIUS consultant...if he is not too busy lying with his feet kicked up in France with fresh food and good wine :) At this point I would imagine the eduroam world will descend upon me saying "the world is not 'a' FreeRADIUS", to which I reply "then you will not be part of it" if you are too lazy to configure a 'dumb' standalone FreeRADIUS proxy :) However, I am just a network monkey, no one listens to me :) Cheers -- Alexander Clouter .sigmonster says: You're not Dave. Who are you? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
