On Wed, 2004-01-07 at 15:54, Alan DeKok wrote:
> John Horne <[EMAIL PROTECTED]> wrote:
> > However, if I simply change the users file entry to:
> >
> > fred Auth-Type := Local, User-Password != "anything"
> >
> > Specifying that the pwd should not be 'anything' then it doesn't work.
> > That is, I cannot authenticate. The radiusd output shows:
>
> I don't see why you would expect that user to authenticate.
>
Because I am reading the '!=' as meaning that when a check of the stored
password and the user-supplied password is done then the user is 'valid'
- that is, authenticated - providing the password they entered did not
match the radiusd calculated/encrypted password derived from 'anything'.
If that is not so then what does the '!=', '!~', '=*' and so on mean?
>
> OK, go to src/modules/rlm_mschap/rlm_mschap.c, look for:
>
> vp = pairmake("Auth-Type", authtype_name, T_OP_SET);
>
> change the T_OP_SET to T_OP_EQ, and re-compile & install the
> module. It should work then.
>
This seemed to make no difference. However I did notice, before and
after the change, that if the user file entry has something like:
User-Password != "something"
Then if the user enters the password of 'something' they are
authenticated. To me this seems odd since what then is the difference
between using '==' or '!='? My reading of this, as stated above, is that
if they enter 'something' as the password they should not be
authenticated, and if they enter anything which does not match
'something' then they will.
> > Anyone got any suggestions about this. Relevant parts of the
> > radiusd.conf are below, but simply change the users file entry operator
> > from '==' to '!=' surely shouldn't cause a problem? All the encryption
> > stuff should work because instead of comparing the users file password
> > with the one the user enters when connecting should simply check for
> > equality or not. When '==' is used they should be equal, when '!=' is
> > used the should not be equal.
>
> Due to the way passwords are checked, it doesn't quite work that
> way.
>
In which case I think I am somewhat lost! :-) Given that in our case
MS-CHAPv2 must be used, and hence some form of encryption is going on,
do the '!=', '!~' etc operators still apply? If so, then how are they
applied. As stated above using '==' or '!=' makes no difference, in both
cases the user is authenticated.
John.
--
---------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914
E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
