Hello,
Is this a good idea to allow testing of a given user name/password pair
from anywhere in internet? I modified the latest conffile.c to accept
authentication requests from anywhere by using the following directive:
client 0.0.0.0/0 {
secret = XXX
shortname = superbt.ca
}
As you see, the significant part of netmask is reduced to 0 leftmost bits.
Is this a safe approach? The patch is enclosed.
--
Ilguiz Latypov
computer programmer
SuperBT Canada, Inc
153 Union St. E.
Waterloo, Ontario N2J 1C4
Canada
GMT-4 day time tel. +1 (519) 569-7818
GMT-4 night time tel. +1 (519) 569-7193
======================================================================
diff -u ../../../radiusd.orig/src/main/conffile.c ./conffile.c
--- ../../../radiusd.orig/src/main/conffile.c Mon Jun 10 11:06:16 2002
+++ ./conffile.c Tue Jul 9 19:47:58 2002
@@ -1145,15 +1145,16 @@
int i, mask_length;
mask_length = atoi(netmask + 1);
- if ((mask_length <= 0) || (mask_length > 32)) {
+ if ((mask_length < 0) || (mask_length > 32)) {
radlog(L_ERR, "%s[%d]: Invalid value '%s' for IP
network mask.",
filename, cs->item.lineno, netmask +
1);
return -1;
}
- c->netmask = (1 << 31);
- for (i = 1; i < mask_length; i++) {
- c->netmask |= (c->netmask >> 1);
+ c->netmask = 0;
+ for (i = 1; i <= mask_length; i++) {
+ c->netmask >>= 1;
+ c->netmask |= (1 << 31);
}
*netmask = '\0';
======================================================================
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
