Re: login_radius possible changes.
Yes, I did test it many times. login_radius as it is in current does not work for me at all. Did I test it for all cases/scenarios..? No, I doubt it. -Brad -Original Message- From: [EMAIL PROTECTED] Sent: Wed, 12 Dec 2007 22:00:46 +0100 To: [EMAIL PROTECTED] Subject: Re: login_radius possible changes. On Wed, Dec 12, 2007 at 07:35:36PM +0100, Otto Moerbeek wrote: On Wed, Dec 12, 2007 at 08:47:54AM -0800, Brad Arrington wrote: Hi Otto, Thank you for looking at this. My question is now what would be the right way to do this...? This radius server(AAA) has a 3 try lock out. Without this patch login_radius checks 2 times with a blank password which will allow the user only 1 chance to enter a correct password before it locks the account. You are comparing pointers, not strings. I'll elaborate a bit more. Comparing to an empty string should be done like strcmp(password, ) != 0 or password[0] != '\0' Since your string compare is obviously wrong, I can only assume you did not test your diff. At least not for all cases it should handle. Also, I'm missing a man page addition. -Otto -Brad -Original Message- From: [EMAIL PROTECTED] Sent: Wed, 12 Dec 2007 10:28:13 +0100 To: [EMAIL PROTECTED] Subject: Re: login_radius possible changes. On Wed, Dec 12, 2007 at 12:40:15AM -0800, Brad Arrington wrote: Would it be possible to change login_radius.c actually raddauth.c so that: 1. The admin can change what port login_radius uses, such as the old datametrics port. It is currently hard coded to radius(1812). 2. Make it so it does not try an empty password 2 times before it kicks back a prompt asking for a password. This is the diff/changes I had in mind. --- radius_current/raddauth.c Tue Dec 11 12:28:41 2007 +++ raddauth.cWed Dec 12 00:29:43 2007 @@ -117,6 +117,7 @@ int retries; int sockfd; int timeout; +char *radius_port; in_addr_t alt_server; in_addr_t auth_server; @@ -168,6 +169,10 @@ timeout = login_getcapnum(lc, radius-timeout, 2, 2); retries = login_getcapnum(lc, radius-retries, 6, 6); + radius_port = login_getcapstr(lc, radius-port, NULL, NULL); + + if (radius_port == NULL) radius_port = radius; + if (timeout 1) timeout = 1; if (retries 2) @@ -209,7 +214,7 @@ } /* get port number */ - svp = getservbyname (radius, udp); + svp = getservbyname (radius_port, udp); if (svp == NULL) { *emsg = No such service: radius/udp; return (1); @@ -271,7 +276,7 @@ } } - if (retries 0) { + if (retries 0 passwd != ) { That cannot be right rad_request(req_id, userstyle, passwd, auth_port, vector, pwstate); @@ -417,9 +422,9 @@ auth.length = htons(total_length); /* get radius port number */ - rad_port = getservbyname(radius, udp); + rad_port = getservbyname(radius_port, udp); if (rad_port == NULL) - errx(1, no such service: radius/udp); + errx(1, no such service: %s/udp, radius_port); memset(sin, 0, sizeof (sin)); sin.sin_family = AF_INET; Thanks, -Brad
Re: login_radius possible changes.
Yes, I did test it many times. login_radius as it is in current does not work for me at all. Did I test it for all cases/scenarios..? No, I doubt it. -Brad -Original Message- From: [EMAIL PROTECTED] Sent: Wed, 12 Dec 2007 22:00:46 +0100 To: [EMAIL PROTECTED] Subject: Re: login_radius possible changes. On Wed, Dec 12, 2007 at 07:35:36PM +0100, Otto Moerbeek wrote: On Wed, Dec 12, 2007 at 08:47:54AM -0800, Brad Arrington wrote: Hi Otto, Thank you for looking at this. My question is now what would be the right way to do this...? This radius server(AAA) has a 3 try lock out. Without this patch login_radius checks 2 times with a blank password which will allow the user only 1 chance to enter a correct password before it locks the account. You are comparing pointers, not strings. I'll elaborate a bit more. Comparing to an empty string should be done like strcmp(password, ) != 0 or password[0] != '\0' Since your string compare is obviously wrong, I can only assume you did not test your diff. At least not for all cases it should handle. Also, I'm missing a man page addition. -Otto -Brad -Original Message- From: [EMAIL PROTECTED] Sent: Wed, 12 Dec 2007 10:28:13 +0100 To: [EMAIL PROTECTED] Subject: Re: login_radius possible changes. On Wed, Dec 12, 2007 at 12:40:15AM -0800, Brad Arrington wrote: Would it be possible to change login_radius.c actually raddauth.c so that: 1. The admin can change what port login_radius uses, such as the old datametrics port. It is currently hard coded to radius(1812). 2. Make it so it does not try an empty password 2 times before it kicks back a prompt asking for a password. This is the diff/changes I had in mind. --- radius_current/raddauth.c Tue Dec 11 12:28:41 2007 +++ raddauth.cWed Dec 12 00:29:43 2007 @@ -117,6 +117,7 @@ int retries; int sockfd; int timeout; +char *radius_port; in_addr_t alt_server; in_addr_t auth_server; @@ -168,6 +169,10 @@ timeout = login_getcapnum(lc, radius-timeout, 2, 2); retries = login_getcapnum(lc, radius-retries, 6, 6); + radius_port = login_getcapstr(lc, radius-port, NULL, NULL); + + if (radius_port == NULL) radius_port = radius; + if (timeout 1) timeout = 1; if (retries 2) @@ -209,7 +214,7 @@ } /* get port number */ - svp = getservbyname (radius, udp); + svp = getservbyname (radius_port, udp); if (svp == NULL) { *emsg = No such service: radius/udp; return (1); @@ -271,7 +276,7 @@ } } - if (retries 0) { + if (retries 0 passwd != ) { That cannot be right rad_request(req_id, userstyle, passwd, auth_port, vector, pwstate); @@ -417,9 +422,9 @@ auth.length = htons(total_length); /* get radius port number */ - rad_port = getservbyname(radius, udp); + rad_port = getservbyname(radius_port, udp); if (rad_port == NULL) - errx(1, no such service: radius/udp); + errx(1, no such service: %s/udp, radius_port); memset(sin, 0, sizeof (sin)); sin.sin_family = AF_INET; Thanks, -Brad FREE 3D EARTH SCREENSAVER - Watch the Earth right on your desktop! Check it out at http://www.inbox.com/earth
Re: login_radius possible changes.
Sorry I missed the point... Yes, you are correct about 'passwd != ' my mistake.. I should have be using strncmp. This is what the diff should be: --- raddauth.c 2007-12-13 00:38:24.0 -0800 +++ login_radius/raddauth.c 2007-12-13 00:31:35.0 -0800 @@ -117,6 +117,7 @@ int retries; int sockfd; int timeout; +char *radius_port; in_addr_t alt_server; in_addr_t auth_server; @@ -168,6 +169,10 @@ timeout = login_getcapnum(lc, radius-timeout, 2, 2); retries = login_getcapnum(lc, radius-retries, 6, 6); + radius_port = login_getcapstr(lc, radius-port, NULL, NULL); + + if (radius_port == NULL) radius_port = radius; + if (timeout 1) timeout = 1; if (retries 2) @@ -190,7 +195,7 @@ passwd = getpass(Password:); } else passwd = password; - if (passwd == NULL) + if (passwd == NULL) passwd = ; if ((v = login_getcapstr(lc, radius-server, NULL, NULL)) == NULL){ @@ -207,9 +212,9 @@ alt_retries = retries/2; retries = 1; } - + /* get port number */ - svp = getservbyname (radius, udp); + svp = getservbyname (radius_port, udp); if (svp == NULL) { *emsg = No such service: radius/udp; return (1); @@ -271,7 +276,7 @@ } } - if (retries 0) { + if (retries 0 strncmp(passwd, , 1) != 0) { rad_request(req_id, userstyle, passwd, auth_port, vector, pwstate); @@ -417,9 +422,9 @@ auth.length = htons(total_length); /* get radius port number */ - rad_port = getservbyname(radius, udp); + rad_port = getservbyname(radius_port, udp); if (rad_port == NULL) - errx(1, no such service: radius/udp); + errx(1, no such service: %s/udp, radius_port); memset(sin, 0, sizeof (sin)); sin.sin_family = AF_INET; -Original Message- From: [EMAIL PROTECTED] Sent: Wed, 12 Dec 2007 19:35:36 +0100 To: [EMAIL PROTECTED] Subject: Re: login_radius possible changes. On Wed, Dec 12, 2007 at 08:47:54AM -0800, Brad Arrington wrote: Hi Otto, Thank you for looking at this. My question is now what would be the right way to do this...? This radius server(AAA) has a 3 try lock out. Without this patch login_radius checks 2 times with a blank password which will allow the user only 1 chance to enter a correct password before it locks the account. You are comparing pointers, not strings. -Otto -Brad -Original Message- From: [EMAIL PROTECTED] Sent: Wed, 12 Dec 2007 10:28:13 +0100 To: [EMAIL PROTECTED] Subject: Re: login_radius possible changes. On Wed, Dec 12, 2007 at 12:40:15AM -0800, Brad Arrington wrote: Would it be possible to change login_radius.c actually raddauth.c so that: 1. The admin can change what port login_radius uses, such as the old datametrics port. It is currently hard coded to radius(1812). 2. Make it so it does not try an empty password 2 times before it kicks back a prompt asking for a password. This is the diff/changes I had in mind. --- radius_current/raddauth.c Tue Dec 11 12:28:41 2007 +++ raddauth.c Wed Dec 12 00:29:43 2007 @@ -117,6 +117,7 @@ int retries; int sockfd; int timeout; +char *radius_port; in_addr_t alt_server; in_addr_t auth_server; @@ -168,6 +169,10 @@ timeout = login_getcapnum(lc, radius-timeout, 2, 2); retries = login_getcapnum(lc, radius-retries, 6, 6); + radius_port = login_getcapstr(lc, radius-port, NULL, NULL); + + if (radius_port == NULL) radius_port = radius; + if (timeout 1) timeout = 1; if (retries 2) @@ -209,7 +214,7 @@ } /* get port number */ - svp = getservbyname (radius, udp); + svp = getservbyname (radius_port, udp); if (svp == NULL) { *emsg = No such service: radius/udp; return (1); @@ -271,7 +276,7 @@ } } - if (retries 0) { + if (retries 0 passwd != ) { That cannot be right rad_request(req_id, userstyle, passwd, auth_port, vector, pwstate); @@ -417,9 +422,9 @@ auth.length = htons(total_length); /* get radius port number */ - rad_port = getservbyname(radius, udp); + rad_port = getservbyname(radius_port, udp); if (rad_port == NULL) - errx(1, no such service: radius/udp); + errx(1, no such service: %s/udp, radius_port); memset(sin, 0, sizeof (sin)); sin.sin_family = AF_INET; Thanks, -Brad
Re: login_radius possible changes.
-Original Message- From: [EMAIL PROTECTED] Sent: Wed, 12 Dec 2007 16:20:51 -0500 To: [EMAIL PROTECTED] Subject: Re: login_radius possible changes. In message [EMAIL PROTECTED] so spake Brad Arrington (bradla): Would it be possible to change login_radius.c actually raddauth.c so that: 1. The admin can change what port login_radius uses, such as the old datametrics port. It is currently hard coded to radius(1812). I have no objection to this part, though it cam be done a bit more simply. Thank you, I would welcome a simpler solution. 2. Make it so it does not try an empty password 2 times before it kicks back a prompt asking for a password. I'm not at all sure about this. I would have to test this using challenge/response. Here is a sample of the tcpdump I get. [1] + Running tcpdump -i fxp0 dst host srv-aaa01.nojava.net 16:22:31.417176 d19216811.nojava.net.6984 srv-aaa01.nojava.net.datametrics: Axs? id:27 [41] Name = brada, Pass = [], NAS-IP = 192.168.1.1, NAS-Pt = 12393 16:22:36.418985 d19216811.nojava.net.6984 srv-aaa01.nojava.net.datametrics: Axs? id:27 [41] Name = brada, Pass = [], NAS-IP = 192.168.1.1, NAS-Pt = 12393 16:23:01.029570 d19216811.nojava.net.1594 srv-aaa01.nojava.net.datametrics: Axs? id:42 [57] Name = brada, Pass = [a91912z981a1z9c49da13ga1z1b1297], NAS-IP = 192.168.1.1, NAS-Pt = 0 The user only gets 3 tries before the account gets locked. This is why I must change the way login_radius(in this case raddauth.c) uses the variable passwd. - todd -Brad FREE ONLINE PHOTOSHARING - Share your photos online with your friends and family! Visit http://www.inbox.com/photosharing to find out more!
login_radius possible changes.
Would it be possible to change login_radius.c actually raddauth.c so that: 1. The admin can change what port login_radius uses, such as the old datametrics port. It is currently hard coded to radius(1812). 2. Make it so it does not try an empty password 2 times before it kicks back a prompt asking for a password. This is the diff/changes I had in mind. --- radius_current/raddauth.c Tue Dec 11 12:28:41 2007 +++ raddauth.c Wed Dec 12 00:29:43 2007 @@ -117,6 +117,7 @@ int retries; int sockfd; int timeout; +char *radius_port; in_addr_t alt_server; in_addr_t auth_server; @@ -168,6 +169,10 @@ timeout = login_getcapnum(lc, radius-timeout, 2, 2); retries = login_getcapnum(lc, radius-retries, 6, 6); + radius_port = login_getcapstr(lc, radius-port, NULL, NULL); + + if (radius_port == NULL) radius_port = radius; + if (timeout 1) timeout = 1; if (retries 2) @@ -209,7 +214,7 @@ } /* get port number */ - svp = getservbyname (radius, udp); + svp = getservbyname (radius_port, udp); if (svp == NULL) { *emsg = No such service: radius/udp; return (1); @@ -271,7 +276,7 @@ } } - if (retries 0) { + if (retries 0 passwd != ) { rad_request(req_id, userstyle, passwd, auth_port, vector, pwstate); @@ -417,9 +422,9 @@ auth.length = htons(total_length); /* get radius port number */ - rad_port = getservbyname(radius, udp); + rad_port = getservbyname(radius_port, udp); if (rad_port == NULL) - errx(1, no such service: radius/udp); + errx(1, no such service: %s/udp, radius_port); memset(sin, 0, sizeof (sin)); sin.sin_family = AF_INET; Thanks, -Brad
Re: login_radius possible changes.
On Wed, Dec 12, 2007 at 12:40:15AM -0800, Brad Arrington wrote: Would it be possible to change login_radius.c actually raddauth.c so that: 1. The admin can change what port login_radius uses, such as the old datametrics port. It is currently hard coded to radius(1812). 2. Make it so it does not try an empty password 2 times before it kicks back a prompt asking for a password. This is the diff/changes I had in mind. --- radius_current/raddauth.c Tue Dec 11 12:28:41 2007 +++ raddauth.cWed Dec 12 00:29:43 2007 @@ -117,6 +117,7 @@ int retries; int sockfd; int timeout; +char *radius_port; in_addr_t alt_server; in_addr_t auth_server; @@ -168,6 +169,10 @@ timeout = login_getcapnum(lc, radius-timeout, 2, 2); retries = login_getcapnum(lc, radius-retries, 6, 6); + radius_port = login_getcapstr(lc, radius-port, NULL, NULL); + + if (radius_port == NULL) radius_port = radius; + if (timeout 1) timeout = 1; if (retries 2) @@ -209,7 +214,7 @@ } /* get port number */ - svp = getservbyname (radius, udp); + svp = getservbyname (radius_port, udp); if (svp == NULL) { *emsg = No such service: radius/udp; return (1); @@ -271,7 +276,7 @@ } } - if (retries 0) { + if (retries 0 passwd != ) { That cannot be right rad_request(req_id, userstyle, passwd, auth_port, vector, pwstate); @@ -417,9 +422,9 @@ auth.length = htons(total_length); /* get radius port number */ - rad_port = getservbyname(radius, udp); + rad_port = getservbyname(radius_port, udp); if (rad_port == NULL) - errx(1, no such service: radius/udp); + errx(1, no such service: %s/udp, radius_port); memset(sin, 0, sizeof (sin)); sin.sin_family = AF_INET; Thanks, -Brad
Re: login_radius possible changes.
Hi Otto, Thank you for looking at this. My question is now what would be the right way to do this...? This radius server(AAA) has a 3 try lock out. Without this patch login_radius checks 2 times with a blank password which will allow the user only 1 chance to enter a correct password before it locks the account. -Brad -Original Message- From: [EMAIL PROTECTED] Sent: Wed, 12 Dec 2007 10:28:13 +0100 To: [EMAIL PROTECTED] Subject: Re: login_radius possible changes. On Wed, Dec 12, 2007 at 12:40:15AM -0800, Brad Arrington wrote: Would it be possible to change login_radius.c actually raddauth.c so that: 1. The admin can change what port login_radius uses, such as the old datametrics port. It is currently hard coded to radius(1812). 2. Make it so it does not try an empty password 2 times before it kicks back a prompt asking for a password. This is the diff/changes I had in mind. --- radius_current/raddauth.cTue Dec 11 12:28:41 2007 +++ raddauth.c Wed Dec 12 00:29:43 2007 @@ -117,6 +117,7 @@ int retries; int sockfd; int timeout; +char *radius_port; in_addr_t alt_server; in_addr_t auth_server; @@ -168,6 +169,10 @@ timeout = login_getcapnum(lc, radius-timeout, 2, 2); retries = login_getcapnum(lc, radius-retries, 6, 6); +radius_port = login_getcapstr(lc, radius-port, NULL, NULL); + +if (radius_port == NULL) radius_port = radius; + if (timeout 1) timeout = 1; if (retries 2) @@ -209,7 +214,7 @@ } /* get port number */ -svp = getservbyname (radius, udp); +svp = getservbyname (radius_port, udp); if (svp == NULL) { *emsg = No such service: radius/udp; return (1); @@ -271,7 +276,7 @@ } } -if (retries 0) { +if (retries 0 passwd != ) { That cannot be right rad_request(req_id, userstyle, passwd, auth_port, vector, pwstate); @@ -417,9 +422,9 @@ auth.length = htons(total_length); /* get radius port number */ -rad_port = getservbyname(radius, udp); +rad_port = getservbyname(radius_port, udp); if (rad_port == NULL) -errx(1, no such service: radius/udp); +errx(1, no such service: %s/udp, radius_port); memset(sin, 0, sizeof (sin)); sin.sin_family = AF_INET; Thanks, -Brad
Re: login_radius possible changes.
On Wed, Dec 12, 2007 at 08:47:54AM -0800, Brad Arrington wrote: Hi Otto, Thank you for looking at this. My question is now what would be the right way to do this...? This radius server(AAA) has a 3 try lock out. Without this patch login_radius checks 2 times with a blank password which will allow the user only 1 chance to enter a correct password before it locks the account. You are comparing pointers, not strings. -Otto -Brad -Original Message- From: [EMAIL PROTECTED] Sent: Wed, 12 Dec 2007 10:28:13 +0100 To: [EMAIL PROTECTED] Subject: Re: login_radius possible changes. On Wed, Dec 12, 2007 at 12:40:15AM -0800, Brad Arrington wrote: Would it be possible to change login_radius.c actually raddauth.c so that: 1. The admin can change what port login_radius uses, such as the old datametrics port. It is currently hard coded to radius(1812). 2. Make it so it does not try an empty password 2 times before it kicks back a prompt asking for a password. This is the diff/changes I had in mind. --- radius_current/raddauth.c Tue Dec 11 12:28:41 2007 +++ raddauth.c Wed Dec 12 00:29:43 2007 @@ -117,6 +117,7 @@ int retries; int sockfd; int timeout; +char *radius_port; in_addr_t alt_server; in_addr_t auth_server; @@ -168,6 +169,10 @@ timeout = login_getcapnum(lc, radius-timeout, 2, 2); retries = login_getcapnum(lc, radius-retries, 6, 6); + radius_port = login_getcapstr(lc, radius-port, NULL, NULL); + + if (radius_port == NULL) radius_port = radius; + if (timeout 1) timeout = 1; if (retries 2) @@ -209,7 +214,7 @@ } /* get port number */ - svp = getservbyname (radius, udp); + svp = getservbyname (radius_port, udp); if (svp == NULL) { *emsg = No such service: radius/udp; return (1); @@ -271,7 +276,7 @@ } } - if (retries 0) { + if (retries 0 passwd != ) { That cannot be right rad_request(req_id, userstyle, passwd, auth_port, vector, pwstate); @@ -417,9 +422,9 @@ auth.length = htons(total_length); /* get radius port number */ - rad_port = getservbyname(radius, udp); + rad_port = getservbyname(radius_port, udp); if (rad_port == NULL) - errx(1, no such service: radius/udp); + errx(1, no such service: %s/udp, radius_port); memset(sin, 0, sizeof (sin)); sin.sin_family = AF_INET; Thanks, -Brad
Re: login_radius possible changes.
On Wed, Dec 12, 2007 at 07:35:36PM +0100, Otto Moerbeek wrote: On Wed, Dec 12, 2007 at 08:47:54AM -0800, Brad Arrington wrote: Hi Otto, Thank you for looking at this. My question is now what would be the right way to do this...? This radius server(AAA) has a 3 try lock out. Without this patch login_radius checks 2 times with a blank password which will allow the user only 1 chance to enter a correct password before it locks the account. You are comparing pointers, not strings. I'll elaborate a bit more. Comparing to an empty string should be done like strcmp(password, ) != 0 or password[0] != '\0' Since your string compare is obviously wrong, I can only assume you did not test your diff. At least not for all cases it should handle. Also, I'm missing a man page addition. -Otto -Brad -Original Message- From: [EMAIL PROTECTED] Sent: Wed, 12 Dec 2007 10:28:13 +0100 To: [EMAIL PROTECTED] Subject: Re: login_radius possible changes. On Wed, Dec 12, 2007 at 12:40:15AM -0800, Brad Arrington wrote: Would it be possible to change login_radius.c actually raddauth.c so that: 1. The admin can change what port login_radius uses, such as the old datametrics port. It is currently hard coded to radius(1812). 2. Make it so it does not try an empty password 2 times before it kicks back a prompt asking for a password. This is the diff/changes I had in mind. --- radius_current/raddauth.cTue Dec 11 12:28:41 2007 +++ raddauth.c Wed Dec 12 00:29:43 2007 @@ -117,6 +117,7 @@ int retries; int sockfd; int timeout; +char *radius_port; in_addr_t alt_server; in_addr_t auth_server; @@ -168,6 +169,10 @@ timeout = login_getcapnum(lc, radius-timeout, 2, 2); retries = login_getcapnum(lc, radius-retries, 6, 6); +radius_port = login_getcapstr(lc, radius-port, NULL, NULL); + +if (radius_port == NULL) radius_port = radius; + if (timeout 1) timeout = 1; if (retries 2) @@ -209,7 +214,7 @@ } /* get port number */ -svp = getservbyname (radius, udp); +svp = getservbyname (radius_port, udp); if (svp == NULL) { *emsg = No such service: radius/udp; return (1); @@ -271,7 +276,7 @@ } } -if (retries 0) { +if (retries 0 passwd != ) { That cannot be right rad_request(req_id, userstyle, passwd, auth_port, vector, pwstate); @@ -417,9 +422,9 @@ auth.length = htons(total_length); /* get radius port number */ -rad_port = getservbyname(radius, udp); +rad_port = getservbyname(radius_port, udp); if (rad_port == NULL) -errx(1, no such service: radius/udp); +errx(1, no such service: %s/udp, radius_port); memset(sin, 0, sizeof (sin)); sin.sin_family = AF_INET; Thanks, -Brad
Re: login_radius possible changes.
In message [EMAIL PROTECTED] so spake Brad Arrington (bradla): Would it be possible to change login_radius.c actually raddauth.c so that: 1. The admin can change what port login_radius uses, such as the old datametrics port. It is currently hard coded to radius(1812). I have no objection to this part, though it cam be done a bit more simply. 2. Make it so it does not try an empty password 2 times before it kicks back a prompt asking for a password. I'm not at all sure about this. I would have to test this using challenge/response. - todd