I found my problem, those users in fact had no passwords! I didn't
realize nothing could encrypt with a salt, to produce a encrypted password
of NOTHING.
open(SHADOW,"shadow");
while(<SHADOW>) {
($username,$fullpasswd)=(split(/:/,$_))[0,1];
$salt=substr($fullpasswd,0,2);
$passwd=substr($fullpasswd,2,11);
if($fullpasswd eq (crypt("",$salt))) {
print "$username has no password!!\n";
}
}
close(SHADOW);
On Thu, 15 Apr 1999, Brian wrote:
> Radiator: 2.12.1
> Postgres: 6.3.2
> Redhat 5.2
>
>
> We just noticed a problem with our Radiator setup. Some uses can get in
> by entering a blank password. I have not find out why it is only some
> users and not others. Take these two users for example, both would be
> caught by the "DefaultReply" item in radius.cfg since neither has any
> replyattr's:
>
> >From Postgres:
>
> username|encryptedpassword| uid|gid|gecos |dir
> |shell |checkattr|replyattr|
>
>-----------------------------------------------------------------------------------------------------------------------
> sram |.zqpNKI2pJlrM |16767|500|Ramsey, Sam |/home/cust/s/r/sram/./
> |/bin/true| | |
> thomasob|l29JcSDiMW0gM |21044|500|O'Brien, ThomasW. |/home/cust/t/h/thomasob/./
> |/bin/true| | |
>
>
> Yet:
>
> [root@norad radacct]# radpwtst -s norad -secret xxx -user thomasob -password ''
>-dictionary /usr/local/radiator/raddb/dictionary
> sending Access-Request...
> Rejected
> sending Accounting-Request Start...
> OK
> sending Accounting-Request Stop...
> OK
> [root@norad radacct]# radpwtst -s norad -secret xxx -user sram -password ''
>-dictionary /usr/local/radiator/raddb/dictionary
> sending Access-Request...
> OK
> sending Accounting-Request Start...
> OK
> sending Accounting-Request Stop...
> OK
>
> very odd. The Auth section is this from radius.cfg:
>
> <Realm DEFAULT>
> AcctLogFileName %L/%C/detail
> PasswordLogFileName %L/password.log
> <AuthBy SQL>
> DefaultReply Service-Type = "Framed-User",Framed-Protocol = "PPP",\
> Framed-IP-Address = "255.255.255.254",Framed-Netmask
>="255.255.255.255",\
> Framed-MTU = "1500",Max-Channels = "1",Framed-Routing = "None",\
> Framed-Compression = "Van-Jacobson-TCP-IP"
> DBSource dbi:Pg:dbname=shrevenet_users;host=norad.shreve.net
> DBUsername xxxxxxx
> DBAuth xxxxxxx
> AuthSelect select ENCRYPTEDPASSWORD,CHECKATTR,REPLYATTR from passwd
>where USERNAME='%n'
> EncryptedPassword
> AccountingTable ""
> </AuthBy>
> </Realm>
>
> Has anyone seen this? Anyone know what could be the matter?
>
>
> Below is Trace 4 output for user "sram"
>
> Thu Apr 15 11:53:41 1999: INFO: Server started
> Thu Apr 15 11:53:44 1999: DEBUG: Packet dump:
> *** Received from 208.206.76.58 port 1830 ....
> Code: Access-Request
> Identifier: 0
> Authentic: 1234567890123456
> Attributes:
> User-Name = "sram"
> Service-Type = Framed-User
> Client-Id = 203.63.154.1
> NAS-Port = 1234
> NAS-Port-Type = Async
> User-Password = ""
>
> Thu Apr 15 11:53:44 1999: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Apr 15 11:53:44 1999: DEBUG: Handling with Radius::AuthSQL
> Thu Apr 15 11:53:44 1999: DEBUG: Query is: select
> ENCRYPTEDPASSWORD,CHECKATTR,REPLYATTR from passwd where USERNAME='sram'
>
> Thu Apr 15 11:53:44 1999: DEBUG: Radius::AuthSQL looks for match with sram
> Thu Apr 15 11:53:44 1999: DEBUG: Packet dump:
> *** Sending to 208.206.76.58 port 1830 ....
> Code: Access-Accept
> Identifier: 0
> Authentic: 1234567890123456
> Attributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Address = 255.255.255.254
> Framed-Netmask = 255.255.255.255
> Framed-MTU = 1500
> Max-Channels = 1
> Framed-Routing = None
> Framed-Compression = Van-Jacobson-TCP-IP
>
> Thu Apr 15 11:53:44 1999: DEBUG: Packet dump:
> *** Received from 208.206.76.58 port 1830 ....
> Code: Accounting-Request
> Identifier: 1
> Authentic: <168><153><250>-8<199>N<178><7>$J<194>-<194><165>O
> Attributes:
> User-Name = "sram"
> Service-Type = Framed-User
> Client-Id = 203.63.154.1
> NAS-Port = 1234
> NAS-Port-Type = Async
> Acct-Session-Id = "00001234"
> Acct-Status-Type = Start
>
> Thu Apr 15 11:53:44 1999: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Apr 15 11:53:44 1999: DEBUG: Handling accounting with Radius::AuthSQL
> Thu Apr 15 11:53:44 1999: DEBUG: Adding session for sram, 203.63.154.1,
> 1234
> Thu Apr 15 11:53:44 1999: DEBUG: Packet dump:
> *** Sending to 208.206.76.58 port 1830 ....
> Code: Accounting-Response
> Identifier: 1
> Authentic: <168><153><250>-8<199>N<178><7>$J<194>-<194><165>O
> Attributes:
>
> Thu Apr 15 11:53:44 1999: DEBUG: Packet dump:
> *** Received from 208.206.76.58 port 1830 ....
> Code: Accounting-Request
> Identifier: 2
> Authentic: <222>o<143><253><224>Id<150><205>K<250><207><150>]<147><227>
> Attributes:
> User-Name = "sram"
> Service-Type = Framed-User
> Client-Id = 203.63.154.1
> NAS-Port = 1234
> NAS-Port-Type = Async
> Acct-Session-Id = "00001234"
> Acct-Status-Type = Stop
> Acct-Delay-Time = 0
> Acct-Session-Time = 1000
> Acct-Input-Octets = 20000
> Acct-Output-Octets = 30000
>
>
>
> -----------------------------------------------------
> Brian Feeny (BF304) [EMAIL PROTECTED]
> 318-222-2638 x 109 http://www.shreve.net/~signal
> Network Administrator ShreveNet Inc. (ASN 11881)
>
>
> ===
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>
-----------------------------------------------------
Brian Feeny (BF304) [EMAIL PROTECTED]
318-222-2638 x 109 http://www.shreve.net/~signal
Network Administrator ShreveNet Inc. (ASN 11881)
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
