Re: Old password 'grace period'

[Arran Cudbard-Bell]

On 25/6/09 13:11, Ivan Kalik wrote:

I have tested something like this yesterday - it doesn't. You can't just
replace Cleartext-Password. NT-Password and LM-Passowrd were created for
the "new" password and mschap module will reuse them, completely
ignoring
"old" Cleartext-Password. They need to be removed or replaced before
mschap module is called again.

Writes the NT-Password and LM-Password values back to the control list of
the request.

But seeing as the values are just being stored in the control list of the
request,
we can remove them using unlang.


authenticate {
      mschap {

Just for the readers of the list - the section is Auth-Type MS-CHAP not
mschap.

Oops, yep Auth-Type MS-CHAP.

          update control {
              Cleartext-Password := "%{sql_new:SELECT<cleartext password
query...>}"
          }
          mschap {
              reject = 2
          }

Ah, so that's how you make if work.

Yep. Otherwise reject has a priority/opcode of reject, and the request is 
rejected ;)

          if(reject){
              update control {
                NT-Password -= "%{control:NT-Password}"
                LM-Password -= "%{control:LM-Password}"

Yes, I had that lined up, but couldn't get if to work.

                  Cleartext-Password := "%{sql_old:SELECT<cleartext
password query...>}"
              }
              mschap
          }
      }
}

Ok, pap failover done this way now works. I can't test mschap from where I
am right now but I don't see a problem any more. My construction is
slightly different - I read only replacement password from sql assuming
that the usual one is pulled by regular sql queries (my scenario has
Cleartext-Password and custom attribute Old-Password both in same radcheck
table).

That should work fine too.

So you can just swap out the first update control { Cleartext-Password .... } 
bit for a call to the SQL module. Though you'd probably want to put it in the 
authorise section...


So it'd be something like :

instantiate {
        sql_old
}

authorize {
        # Retrieves credentials
        sql_new
        # Sets auth-type mschap
        mschap
}

authenticate {
        Auth-Type MS-CHAP {
                mschap {
                        reject = 2
                }
                if(reject){
                        # Remove stale password hashes created on first call to 
rlm_mschap
                        update control {
                                NT-Password -= "%{control:NT-Password}"
                                LM-Password -= "%{control:LM-Password}"
                                Cleartext-Password := "%{sql_old:SELECT<cleartext 
password query...>}"
                        }
                        mschap
                }
        }
}

Arran

--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html