On Wed, Dec 12, 2007 at 07:35:36PM +0100, Otto Moerbeek wrote:
> On Wed, Dec 12, 2007 at 08:47:54AM -0800, Brad Arrington wrote:
>
> > Hi Otto,
> >
> > Thank you for looking at this.
> >
> > My question is now what would be the right way to do this...?
> >
> > This radius server(AAA) has a 3 try lock out.
> > Without this patch login_radius checks 2 times with a blank password
> > which will allow the user only 1 chance to enter a correct password
> > before it locks the account.
>
> You are comparing pointers, not strings.
I'll elaborate a bit more. Comparing to an empty string should be done like
strcmp(password, "") != 0
or
password[0] != '\0'
Since your string compare is obviously wrong, I can only assume you
did not test your diff. At least not for all cases it should handle.
Also, I'm missing a man page addition.
-Otto
> >
> >
> > -Brad
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > Sent: Wed, 12 Dec 2007 10:28:13 +0100
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: login_radius possible changes.
> > >
> > > On Wed, Dec 12, 2007 at 12:40:15AM -0800, Brad Arrington wrote:
> > >
> > >> Would it be possible to change login_radius.c actually raddauth.c so
> > >> that:
> > >>
> > >> 1. The admin can change what port login_radius uses, such as the
> > >> old datametrics port. It is currently hard coded to radius(1812).
> > >>
> > >> 2. Make it so it does not try an empty password 2 times before it kicks
> > >> back a
> > >> prompt asking for a password.
> > >>
> > >> This is the diff/changes I had in mind.
> > >>
> > >> --- radius_current/raddauth.c Tue Dec 11 12:28:41 2007
> > >> +++ raddauth.c Wed Dec 12 00:29:43 2007
> > >> @@ -117,6 +117,7 @@
> > >> int retries;
> > >> int sockfd;
> > >> int timeout;
> > >> +char *radius_port;
> > >> in_addr_t alt_server;
> > >> in_addr_t auth_server;
> > >>
> > >> @@ -168,6 +169,10 @@
> > >>
> > >> timeout = login_getcapnum(lc, "radius-timeout", 2, 2);
> > >> retries = login_getcapnum(lc, "radius-retries", 6, 6);
> > >> + radius_port = login_getcapstr(lc, "radius-port", NULL, NULL);
> > >> +
> > >> + if (radius_port == NULL) radius_port = "radius";
> > >> +
> > >> if (timeout < 1)
> > >> timeout = 1;
> > >> if (retries < 2)
> > >> @@ -209,7 +214,7 @@
> > >> }
> > >>
> > >> /* get port number */
> > >> - svp = getservbyname ("radius", "udp");
> > >> + svp = getservbyname (radius_port, "udp");
> > >> if (svp == NULL) {
> > >> *emsg = "No such service: radius/udp";
> > >> return (1);
> > >> @@ -271,7 +276,7 @@
> > >> }
> > >> }
> > >>
> > >> - if (retries > 0) {
> > >> + if (retries > 0 && passwd != "") {
> > >
> > > That cannot be right
> > >
> > >> rad_request(req_id, userstyle, passwd, auth_port,
> > >> vector,
> > >> pwstate);
> > >>
> > >> @@ -417,9 +422,9 @@
> > >> auth.length = htons(total_length);
> > >>
> > >> /* get radius port number */
> > >> - rad_port = getservbyname("radius", "udp");
> > >> + rad_port = getservbyname(radius_port, "udp");
> > >> if (rad_port == NULL)
> > >> - errx(1, "no such service: radius/udp");
> > >> + errx(1, "no such service: %s/udp", radius_port);
> > >>
> > >> memset(&sin, 0, sizeof (sin));
> > >> sin.sin_family = AF_INET;
> > >>
> > >>
> > >> Thanks,
> > >> -Brad
