Local User with multiple passwords (or RegEX passwords) possible?

[Equin Nix]

Hi,

I am trying to set up something very basic (at least from my point of view):
I would like to have a User with multiple passwords (two actually). How
would I do this? I tried the following:

*alice Auth-Type=Local, Cleartext-Password := "test1"
alice Auth-Type=Local, Cleartext-Password := "test2"*

which (of course) did not work. Then

*alice Auth-Type=Local, Cleartext-Password := "test1"
   Fall-Through = Yes
alice Auth-Type=Local, Cleartext-Password := "test2"*

which (of course) did not work, too. Then I tried some regex, from which,
the following do not work:

*alice Auth-Type=Local, User-Password =~ "[*]*"
alice Auth-Type=Local, User-Password =~ /*/i
alice Auth-Type=Local, User-Password =~ "(test1)**"
alice Auth-Type=Local, User-Password =~ "[.]*"
...*

How would I make an entry to users to have *alice *log in with "*test1*" OR
"*test2*" as password?

Best regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Local User with multiple passwords (or RegEX passwords) possible?

[Phil Mayers]

On 07/07/11 09:51, Equin Nix wrote:

Hi,

I am trying to set up something very basic (at least from my point of
view): I would like to have a User with multiple passwords (two
actually). How would I do this? I tried the following:

/alice Auth-Type=Local, Cleartext-Password := "test1"
alice Auth-Type=Local, Cleartext-Password := "test2"/


Do not set Auth-Type. It's almost always wrong, and is certainly wrong 
in this case.



It might be possible to have >1 password; but it will probably only work 
for PAP requests, unless you play carefully with module failover.


It also probably won't work in the "users" file; this is because the 
"User-Password" attribute is handled specially here, as a compatibility 
synonym for Cleartext-Password.


You could try something like this - define a second password attribute 
in raddb/dictionary:



ATTRIBUTE   Cleartext-Password2 3002string

...then set both in the "users" file:

alice   Cleartext-Password := "foo", Cleartext-Password2 := "bar"

...then use unlang to perform the comparisons in sites-enabled/default:

authorize {

  ...
  # read the passwords from "files"
  files
  # compare them
  if ((User-Password != control:Cleartext-Password) && \
  (User-Password != control:Cleartext-Password2)) {
reject
  }

  # probably need to set Auth-Type := Accept here
  update control {
Auth-Type := Accept
  }
}

If you want to do this with requests that aren't PAP e.g. CHAP, 
MSCHAP/PEAP etc. then it will be much harder.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Local User with multiple passwords (or RegEX passwords) possible?

[Equin Nix]

Hi Phil,

thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to
be far far from mine, but I think I get the point.

I tried to add the following to *sites-enabled/default* (int authorize
section) (Its not a full copy of your text, I wanted to start step by step):

[...]
#
#  Read the 'users' file
files {
# compare them
if (User-Password != control:Cleartext-Password) {
reject
}


# probably need to set Auth-Type := Accept here
update control {
Auth-Type := Accept
}
}
[...]

and freeradius won't start (even if I remove the update control section).
This is the error:
[...]
/etc/freeradius/sites-enabled/default[154]: Subsection of module instance
call not allowed
/etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.

Any idea what might cause the trouble? Line 154 is the "if
(User-Password" line.

BTW: It is not possible with RegEx?

Best regards from Germany



2011/7/7 Phil Mayers 

> On 07/07/11 09:51, Equin Nix wrote:
>
>> Hi,
>>
>> I am trying to set up something very basic (at least from my point of
>> view): I would like to have a User with multiple passwords (two
>> actually). How would I do this? I tried the following:
>>
>> /alice Auth-Type=Local, Cleartext-Password := "test1"
>> alice Auth-Type=Local, Cleartext-Password := "test2"/
>>
>
> Do not set Auth-Type. It's almost always wrong, and is certainly wrong in
> this case.
>
>
> It might be possible to have >1 password; but it will probably only work
> for PAP requests, unless you play carefully with module failover.
>
> It also probably won't work in the "users" file; this is because the
> "User-Password" attribute is handled specially here, as a compatibility
> synonym for Cleartext-Password.
>
> You could try something like this - define a second password attribute in
> raddb/dictionary:
>
>
> ATTRIBUTE   Cleartext-Password2 3002string
>
> ...then set both in the "users" file:
>
> alice   Cleartext-Password := "foo", Cleartext-Password2 := "bar"
>
> ...then use unlang to perform the comparisons in sites-enabled/default:
>
> authorize {
>
>  ...
>  # read the passwords from "files"
>  files
>  # compare them
>  if ((User-Password != control:Cleartext-Password) && \
>  (User-Password != control:Cleartext-Password2)) {
>reject
>  }
>
>  # probably need to set Auth-Type := Accept here
>  update control {
>Auth-Type := Accept
>  }
> }
>
> If you want to do this with requests that aren't PAP e.g. CHAP, MSCHAP/PEAP
> etc. then it will be much harder.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Local User with multiple passwords (or RegEX passwords) possible?

[Arran Cudbard-Bell]

You can't put unlang in the configuration block of the files module... Unlang 
can only exist in policy.conf and in virtual server files.

-Arran


On Jul 7, 2011, at 2:18 PM, Equin Nix wrote:

> Hi Phil,
> 
> thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to 
> be far far from mine, but I think I get the point.
> 
> I tried to add the following to sites-enabled/default (int authorize section) 
> (Its not a full copy of your text, I wanted to start step by step):
> 
> [...]
> #
> #  Read the 'users' file
> files {
> # compare them
> if (User-Password != control:Cleartext-Password) {
> reject
> }
> 
> 
> # probably need to set Auth-Type := Accept here
> update control {
> Auth-Type := Accept
> }
> }
> [...]
> 
> and freeradius won't start (even if I remove the update control section). 
> This is the error:
> [...]
> /etc/freeradius/sites-enabled/default[154]: Subsection of module instance 
> call not allowed
> /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.
> 
> Any idea what might cause the trouble? Line 154 is the "if 
> (User-Password" line.
> 
> BTW: It is not possible with RegEx?
> 
> Best regards from Germany
> 
> 
> 
> 2011/7/7 Phil Mayers 
> On 07/07/11 09:51, Equin Nix wrote:
> Hi,
> 
> I am trying to set up something very basic (at least from my point of
> view): I would like to have a User with multiple passwords (two
> actually). How would I do this? I tried the following:
> 
> /alice Auth-Type=Local, Cleartext-Password := "test1"
> alice Auth-Type=Local, Cleartext-Password := "test2"/
> 
> Do not set Auth-Type. It's almost always wrong, and is certainly wrong in 
> this case.
> 
> 
> It might be possible to have >1 password; but it will probably only work for 
> PAP requests, unless you play carefully with module failover.
> 
> It also probably won't work in the "users" file; this is because the 
> "User-Password" attribute is handled specially here, as a compatibility 
> synonym for Cleartext-Password.
> 
> You could try something like this - define a second password attribute in 
> raddb/dictionary:
> 
> 
> ATTRIBUTE   Cleartext-Password2 3002string
> 
> ...then set both in the "users" file:
> 
> alice   Cleartext-Password := "foo", Cleartext-Password2 := "bar"
> 
> ...then use unlang to perform the comparisons in sites-enabled/default:
> 
> authorize {
> 
>  ...
>  # read the passwords from "files"
>  files
>  # compare them
>  if ((User-Password != control:Cleartext-Password) && \
>  (User-Password != control:Cleartext-Password2)) {
>reject
>  }
> 
>  # probably need to set Auth-Type := Accept here
>  update control {
>Auth-Type := Accept
>  }
> }
> 
> If you want to do this with requests that aren't PAP e.g. CHAP, MSCHAP/PEAP 
> etc. then it will be much harder.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Arran Cudbard-Bell
a.cudba...@freeradius.org

RADIUS - Half the complexity of Diameter

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Local User with multiple passwords (or RegEX passwords) possible?

[Fajar A. Nugraha]

On Thu, Jul 7, 2011 at 7:18 PM, Equin Nix  wrote:
> Hi Phil,
>
> thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to
> be far far from mine, but I think I get the point.
>
> I tried to add the following to sites-enabled/default (int authorize
> section) (Its not a full copy of your text, I wanted to start step by step):
>
> [...]
>     #
>     #  Read the 'users' file
>     files {
>     # compare them
>     if (User-Password != control:Cleartext-Password) {
>     reject
>     }
>
>
>     # probably need to set Auth-Type := Accept here
>     update control {
>     Auth-Type := Accept
>     }
>     }
> [...]
>
> and freeradius won't start (even if I remove the update control section).
> This is the error:
> [...]
> /etc/freeradius/sites-enabled/default[154]: Subsection of module instance
> call not allowed

Don't put the comparison as a subsection of module instance. i.e. do NOT use

files {
  
}


instead use

files


also see "man unlang". Among others, it explains how to use
attributes, variables, and regex.

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Local User with multiple passwords (or RegEX passwords) possible?

[Arran Cudbard-Bell]

Sorry, make that: module calls cannot contain unlang, only rcode overrides.

You want:

> #
> #  Read the 'users' file
> files
> # compare them
> if (User-Password != control:Cleartext-Password) {
> reject
> }
> 
> 
> # probably need to set Auth-Type := Accept here
> update control {
> Auth-Type := Accept
> }


On Jul 7, 2011, at 2:18 PM, Equin Nix wrote:

> Hi Phil,
> 
> thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to 
> be far far from mine, but I think I get the point.
> 
> I tried to add the following to sites-enabled/default (int authorize section) 
> (Its not a full copy of your text, I wanted to start step by step):
> 
> [...]
> #
> #  Read the 'users' file
> files {
> # compare them
> if (User-Password != control:Cleartext-Password) {
> reject
> }
> 
> 
> # probably need to set Auth-Type := Accept here
> update control {
> Auth-Type := Accept
> }
> }
> [...]
> 
> and freeradius won't start (even if I remove the update control section). 
> This is the error:
> [...]
> /etc/freeradius/sites-enabled/default[154]: Subsection of module instance 
> call not allowed
> /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.
> 
> Any idea what might cause the trouble? Line 154 is the "if 
> (User-Password" line.
> 
> BTW: It is not possible with RegEx?
> 
> Best regards from Germany
> 
> 
> 
> 2011/7/7 Phil Mayers 
> On 07/07/11 09:51, Equin Nix wrote:
> Hi,
> 
> I am trying to set up something very basic (at least from my point of
> view): I would like to have a User with multiple passwords (two
> actually). How would I do this? I tried the following:
> 
> /alice Auth-Type=Local, Cleartext-Password := "test1"
> alice Auth-Type=Local, Cleartext-Password := "test2"/
> 
> Do not set Auth-Type. It's almost always wrong, and is certainly wrong in 
> this case.
> 
> 
> It might be possible to have >1 password; but it will probably only work for 
> PAP requests, unless you play carefully with module failover.
> 
> It also probably won't work in the "users" file; this is because the 
> "User-Password" attribute is handled specially here, as a compatibility 
> synonym for Cleartext-Password.
> 
> You could try something like this - define a second password attribute in 
> raddb/dictionary:
> 
> 
> ATTRIBUTE   Cleartext-Password2 3002string
> 
> ...then set both in the "users" file:
> 
> alice   Cleartext-Password := "foo", Cleartext-Password2 := "bar"
> 
> ...then use unlang to perform the comparisons in sites-enabled/default:
> 
> authorize {
> 
>  ...
>  # read the passwords from "files"
>  files
>  # compare them
>  if ((User-Password != control:Cleartext-Password) && \
>  (User-Password != control:Cleartext-Password2)) {
>reject
>  }
> 
>  # probably need to set Auth-Type := Accept here
>  update control {
>Auth-Type := Accept
>  }
> }
> 
> If you want to do this with requests that aren't PAP e.g. CHAP, MSCHAP/PEAP 
> etc. then it will be much harder.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Arran Cudbard-Bell
a.cudba...@freeradius.org

RADIUS - Half the complexity of Diameter

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Local User with multiple passwords (or RegEX passwords) possible?

[Phil Mayers]

On 07/07/11 13:18, Equin Nix wrote:

Hi Phil,

thanks a lot for the fast answer! Unfortunatelly your radius-skills seem
to be far far from mine, but I think I get the point.

I tried to add the following to /sites-enabled/default/ (int authorize
section) (Its not a full copy of your text, I wanted to start step by step):

[...]
#
# Read the 'users' file
files {
# compare them


No, that's wrong. As per my original email, it should be:

authorize {
  files
  if (...) {
}

You've got:

authorize {
  files {
...
  }
}

...which is wrong.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Local User with multiple passwords (or RegEX passwords) possible?

[Equin Nix]

Phil, you got it working!

All of what you wrote was right:
- added Cleartext-Password2 to
/usr/share/freeradius/dictionary.freeradius.internal
- created user file like this:
user Cleartext-Password := "1", Cleartext-Password2 += "2"
- updated sites-enabled/default to look like this (*authorize *section)

[..]
#
#  Read the 'users' file
files {
}

if (("%{User-Password}" != "%{control:Cleartext-Password}") &&
("%{User-Password}" != "%{control:Cleartext-Password2}")) {
update reply {
Reply-Message = "I suck at FreeRadiusing!"
}
reject
}
else {
update control {
Auth-Type := Accept
}
}
[..]

If I can buy you a beer or something (thinking of
https://secure.wikimedia.org/wikipedia/en/wiki/Beerware or
https://secure.wikimedia.org/wikipedia/en/wiki/Postcardware) just email me
:)

Best Regards




2011/7/7 Equin Nix 

> Hi Phil,
>
> thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to
> be far far from mine, but I think I get the point.
>
> I tried to add the following to *sites-enabled/default* (int authorize
> section) (Its not a full copy of your text, I wanted to start step by step):
>
> [...]
> #
> #  Read the 'users' file
> files {
> # compare them
> if (User-Password != control:Cleartext-Password) {
>
> reject
> }
>
>
> # probably need to set Auth-Type := Accept here
> update control {
> Auth-Type := Accept
> }
> }
> [...]
>
> and freeradius won't start (even if I remove the update control section).
> This is the error:
> [...]
> /etc/freeradius/sites-enabled/default[154]: Subsection of module instance
> call not allowed
> /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize
> section.
>
> Any idea what might cause the trouble? Line 154 is the "if
> (User-Password" line.
>
> BTW: It is not possible with RegEx?
>
> Best regards from Germany
>
>
>
>
> 2011/7/7 Phil Mayers 
>
>> On 07/07/11 09:51, Equin Nix wrote:
>>
>>> Hi,
>>>
>>> I am trying to set up something very basic (at least from my point of
>>> view): I would like to have a User with multiple passwords (two
>>> actually). How would I do this? I tried the following:
>>>
>>> /alice Auth-Type=Local, Cleartext-Password := "test1"
>>> alice Auth-Type=Local, Cleartext-Password := "test2"/
>>>
>>
>> Do not set Auth-Type. It's almost always wrong, and is certainly wrong in
>> this case.
>>
>>
>> It might be possible to have >1 password; but it will probably only work
>> for PAP requests, unless you play carefully with module failover.
>>
>> It also probably won't work in the "users" file; this is because the
>> "User-Password" attribute is handled specially here, as a compatibility
>> synonym for Cleartext-Password.
>>
>> You could try something like this - define a second password attribute in
>> raddb/dictionary:
>>
>>
>> ATTRIBUTE   Cleartext-Password2 3002string
>>
>> ...then set both in the "users" file:
>>
>> alice   Cleartext-Password := "foo", Cleartext-Password2 := "bar"
>>
>> ...then use unlang to perform the comparisons in sites-enabled/default:
>>
>> authorize {
>>
>>  ...
>>  # read the passwords from "files"
>>  files
>>  # compare them
>>  if ((User-Password != control:Cleartext-Password) && \
>>  (User-Password != control:Cleartext-Password2)) {
>>reject
>>  }
>>
>>  # probably need to set Auth-Type := Accept here
>>  update control {
>>Auth-Type := Accept
>>  }
>> }
>>
>> If you want to do this with requests that aren't PAP e.g. CHAP,
>> MSCHAP/PEAP etc. then it will be much harder.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
>> list/users.html 
>>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Local User with multiple passwords (or RegEX passwords) possible?

[Equin Nix]

Did my last mail made it?
- Last Mail: -
Phil, you got it working!

All of what you wrote was right:
- added Cleartext-Password2 to
/usr/share/freeradius/dictionary.freeradius.internal
- created user file like this:
user Cleartext-Password := "1", Cleartext-Password2 += "2"
- updated sites-enabled/default to look like this (*authorize *section)


[..]
#
#  Read the 'users' file
files {
}

if (("%{User-Password}" != "%{control:Cleartext-Password}") &&
("%{User-Password}" != "%{control:Cleartext-Password2}")) {
update reply {
Reply-Message = "I suck at FreeRadiusing!"
}
reject
}
else {

update control {
Auth-Type := Accept
}
}
[..]

If I can buy you a beer or something (thinking of
https://secure.wikimedia.org/wikipedia/en/wiki/Beerware or
https://secure.wikimedia.org/wikipedia/en/wiki/Postcardware
) just email me :)

Best Regards


2011/7/7 Phil Mayers 

> On 07/07/11 13:18, Equin Nix wrote:
>
>> Hi Phil,
>>
>> thanks a lot for the fast answer! Unfortunatelly your radius-skills seem
>> to be far far from mine, but I think I get the point.
>>
>> I tried to add the following to /sites-enabled/default/ (int authorize
>> section) (Its not a full copy of your text, I wanted to start step by
>> step):
>>
>> [...]
>> #
>> # Read the 'users' file
>> files {
>> # compare them
>>
>
> No, that's wrong. As per my original email, it should be:
>
> authorize {
>  files
>  if (...) {
> }
>
> You've got:
>
> authorize {
>  files {
>...
>  }
> }
>
> ...which is wrong.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html