Old password 'grace period'

Thu, 25 Jun 2009 04:34:50 -0700 


-------- Original Message --------
Subject: Re: Old password 'grace period'
Date: Thu, 25 Jun 2009 12:11:07 +0100
From: Arran Cudbard-Bell <a.cudbard-b...@sussex.ac.uk>
Organization: University of Sussex
To: t...@kalik.net

[snip]


I have tested something like this yesterday - it doesn't. You can't just
replace Cleartext-Password. NT-Password and LM-Passowrd were created for
the "new" password and mschap module will reuse them, completely ignoring
"old" Cleartext-Password. They need to be removed or replaced before
mschap module is called again.


Ahhh ok... Yes, the code agrees with you :)

  } else if (!password) {
                RDEBUG2("No Cleartext-Password configured.  Cannot create 
LM-Password.");

        } else {                /* there is a configured Cleartext-Password */
                lm_password = radius_pairmake(request, &request->config_items,
                                              "LM-Password", "", T_OP_EQ);

Writes the NT-Password and LM-Password values back to the control list of the 
request.

But seeing as the values are just being stored in the control list of the 
request,
we can remove them using unlang.


authenticate {
    mschap {
        update control {
            Cleartext-Password := "%{sql_new:SELECT <cleartext password 
query...>}"
        }
        mschap {
            reject = 2
        }
        if(reject){
            update control {
                NT-Password -= "%{control:NT-Password}"
                LM-Password -= "%{control:LM-Password}"
                Cleartext-Password := "%{sql_old:SELECT <cleartext password 
query...>}"
            }
            mschap
        }
    }
}

Thanks,
Arran
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2

--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html























					Reply via email to