Re: Fwd: (RADIATOR) Quoted and escaped password
Mike,
Your suggestion of sending the password from AuthSQL::findUser is definitely
the most elegant way. Unfortunately my perl skills are a bit rusty, so I am
submitting an additional variable as a workaround.
I have added the variable "%K" which contains the same thing as "%P"
(decrypted password) but with ' or " characters replaced by a "?" .
===
diff -o Util.pm Util.pm_original_2.18.1
65,66d64
< 'K', sub { return unless $packet; my $UnquotedPass =
$packet->decodedPassword();
< $UnquotedPass =~ s/['"]/?/g; $UnquotedPass },
323c321
< $s =~
s/%([%abcCdDefghHijkKlLmMNopqQnPrRsStTUuvVyYz])/&{$conversions{$1}}()/egs;
---
> $s =~
s/%([%abcCdDefghHijklLmMNopqQnPrRsStTUuvVyYz])/&{$conversions{$1}}()/egs;
==
- Original Message -
From: "Mike McCauley" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; "Hugh Irvine" <[EMAIL PROTECTED]>
Sent: Wednesday, June 27, 2001 6:56 PM
Subject: Re: Fwd: (RADIATOR) Quoted and escaped password
> > >
> > >I would like to add the definition of a variable that would provide the
> > >quoted and escaped password returned from the NAS.
> > >Something similar to %0 (for username) but for returned passwords in
the
> > >AuthSQL context.
> > >Could someone tell me where is the %0 defined in the radiator perl
modules.
> > >The current %P (decrypted user password) is fine but my custom update
query
> > >is failing whenever the dialin user is sending quotes.
>
> The replacement of %P is done by Radius::Util::format_special.
> %0, %1 etc is also replace by Radius::Util::format_special, but with
> contect-dependent data passed by the caller.
>
> It is usual to use the DBI quote function to quote and esacpe SQL strings.
> It would be possible for you to add another argument to the call to
> format_special in Radius::AuthSQL::findUSer so that the quoted password
was
> available as %1
>
> Hope that helps.
> Cheers.
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Quoted and escaped password
Hello, I would like to add the definition of a variable that would provide the quoted and escaped password returned from the NAS. Something similar to %0 (for username) but for returned passwords in the AuthSQL context. Could someone tell me where is the %0 defined in the radiator perl modules. The current %P (decrypted user password) is fine but my custom update query is failing whenever the dialin user is sending quotes. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AuthSQLStatement
There is an existing function calld AcctSQLStatement which does an $sth->do
on the DBI interface.
This is very useful because you can "emulate" stored procedure behaviour on
databases that lack this feature (i.e. mysql)
I know that hook processing can do all that and more, but the simplicity and
lack of forking of AcctSQLStatement/AuthSQLStatement make them very
attractive.
I would like to submit a small code addition in order to implement
AuthSQLStatement which I am using in order to communicate with mysql before
authenticating the user. In my case this is very usefull because I can
emulate stored procedure features as in: "insert into DebugTable select case
when {condition} then {do something} end"
One think that I would like to see with those functions is the possibility
to use multiple occurences and having them sent to the database, we could
then use the "user variables" feature on mysql in order to get closer to a
stored procedure emulation.
diff -u AuthSQL.original.pm AuthSQL.pm
--- AuthSQL.original.pm Sat Jun 9 08:53:30 2001
+++ AuthSQL.pm Sat Jun 9 08:53:46 2001
@@ -71,6 +71,7 @@
'AccountingStopsOnly' => 'flag',
'AccountingAlivesOnly' => 'flag',
'AcctSQLStatement' => 'stringarray',
+'AuthSQLStatement' => 'stringarray',
# REVISIT: move AcctFailedLogFileName to AuthGeneric
'AcctFailedLogFileName' => 'string',
'AcctLogFileFormat' => 'string') && return 1;
@@ -141,6 +142,13 @@
# Short circuit for no authentication
return ($main::REJECT, 'Authentication disabled')
if $self->{AuthSelect} eq '';
+
+ # If AuthSQLStatement is set, parse the strings and execute them
+if (defined $self->{AuthSQLStatement})
+{
+map {$self->do(&Radius::Util::format_special($_, $p, $rp))}
+@{$self->{AuthSQLStatement}};
+}
# The default behaviour in AuthGeneric is fine for this
return $self->SUPER::handle_request($p, $rp, $extra_checks);
[EMAIL PROTECTED]
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Sending Username and password to SQL
I made a small modification to util.pm so I can have the decrypted password
in Radiator.
In this example '%P' would be the decrypted password and can be used the
same way as '%n' (the Username)
I think this is very useful for everyone. In my case, this allows me to
send the username and the password as:
AuthSelect exec MyStoredProc '%n' '%P'
May I suggest we include the following in util.pm
'P', sub { return unless $packet;
$packet->decode_password($packet->{Client}->{Secret}) },
Also replace:
$s =~ s/%([%abcCdefgDhijkHlLmMNopnRStTUuyY])/&{$conversions{$1}}()/egs;
with:
$s =~ s/%([%abcCdefgDhijkHlLmMNopPnRStTUuyY])/&{$conversions{$1}}()/egs;
> I wish I could use the DecryptPassword clause found in AuthExternal.
> I tried to implement it in the AuthSQL.pm but my perl knowledge is too
rusty
>
> I am sure this is just a few lines of code but I am afraid of making the
server crash. Anyone wants to give it a try?
>
> > > The %{User-Password} is giving an encrypted version of the actual
password
> > > typed by the user.
> > > Is there another variable containing the actual password typed by the
RAS
> > > user ?
> > > If not, how can I decrypt the User-Password variable.
> > >
> >
> > I think you will have to write a PreAuthHook to decode the password and
store
> > it in a pseudo-attribute in the packet for later use by your AuthBy SQL.
There
> > are some example hooks in the patches area that will help you:
> >
> > http://www.open.com.au/radiator/downloads/patches-2.15/hooks.txt
> >
> > You will need to use the "decode_password" routine in Radius.pm. Note
that this
> > will only work with PAP requests from your NAS(s) as it is impossible to
> > decrypt CHAP passwords.
> >
> > hth
> >
> > Hugh
> >
>
>
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Sending Username and password to SQL
I wish I could use the DecryptPassword clause found in AuthExternal.
I tried to implement it in the AuthSQL.pm but my perl knowledge is too rusty
:(
I am sure this is just a few lines of code but I am afraid of making the server crash.
Anyone wants to give it a try?
> > The %{User-Password} is giving an encrypted version of the actual password
> > typed by the user.
> > Is there another variable containing the actual password typed by the RAS
> > user ?
> > If not, how can I decrypt the User-Password variable.
> >
>
> I think you will have to write a PreAuthHook to decode the password and store
> it in a pseudo-attribute in the packet for later use by your AuthBy SQL. There
> are some example hooks in the patches area that will help you:
>
> http://www.open.com.au/radiator/downloads/patches-2.15/hooks.txt
>
> You will need to use the "decode_password" routine in Radius.pm. Note that this
> will only work with PAP requests from your NAS(s) as it is impossible to
> decrypt CHAP passwords.
>
> hth
>
> Hugh
>
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Sending Username and password to SQL
The %{User-Password} is giving an encrypted version of the actual password
typed by the user.
Is there another variable containing the actual password typed by the RAS
user ?
If not, how can I decrypt the User-Password variable.
>
> Hello -
>
> On Tue, 09 May 2000, [EMAIL PROTECTED] wrote:
> > I would like to change my AuthSelect in a way that it would send the
> > username and password to the SQL server
> > Can I use something like:
> > AuthSelect exec MyStoredProc '%n' '%{User-Password}'
> >
>
> Yes, you should be able to do this. The AuthSelect statement is passed to
the
> routine "format_special" that is where the "%" strings are expanded. You
will
> need to check on the exact syntax for the "exec" and you can see what is
> happening by running Radiator at trace 4 debug level.
>
> The subject of stored procedures has been discussed on the mailing list,
and
> you should also check http://www.starport.net/~radiator and do a search.
>
> hth
>
> Hugh
>
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
> Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
>
>
>
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Sending Username and password to SQL
I would like to change my AuthSelect in a way that it would send the
username and password to the SQL server
Can I use something like:
AuthSelect exec MyStoredProc '%n' '%{User-Password}'
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
No Subject
Return-Path: <[EMAIL PROTECTED]> Received: from oscar.open.com.au (oscar.open.com.au [203.63.154.1]) by tiberius (8.9.3/8.9.3) with SMTP id JAA11303 for <[EMAIL PROTECTED]>; Sat, 8 Jan 2000 09:51:47 -0500 (EST) Received: (from majordom@localhost) by oscar.open.com.au (8.6.12/8.6.12) id OAA29528 for radiator-list; Sat, 8 Jan 2000 14:40:11 +1100 Received: (from uucp@localhost) by oscar.open.com.au (8.6.12/8.6.12) id OAA29524 for [EMAIL PROTECTED]; Sat, 8 Jan 2000 14:40:08 +1100 >Received: from jasmine.vif.com (mail.vif.com [216.13.61.153]) by perki.connect.com.au with ESMTP id OAA03099 (8.8.8/IDA-1.7 for <[EMAIL PROTECTED]>); Sat, 8 Jan 2000 14:18:08 +1100 (EST) Received: from jasmine.vif.com (mail.vif.com [216.13.61.153]) by perki.connect.com.au with ESMTP id OAA03099 (8.8.8/IDA-1.7 for <[EMAIL PROTECTED]>); Sat, 8 Jan 2000 14:18:08 +1100 (EST) Received: from shan (ip:[209.171.246.137]) by jasmine.vif.com (Sendmail Unix Vr92.1.6) with SMTP id <[EMAIL PROTECTED]> for <[EMAIL PROTECTED]>; Fri, 07 Jan 2000 22:18:35 -0500 Message-ID: <001501bf5987$0b136260$89f6abd1@shan> References: <005701bf5924$29c033e0$89f6abd1@shan> <[EMAIL PROTECTED]> Subject: Re: (RADIATOR) AuthBy NT and Global Group ? Date: Fri, 7 Jan 2000 22:18:32 -0500 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Content-Type: text/plain; charset="iso-8859-1" Sender: [EMAIL PROTECTED] Precedence: bulk === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthBy NT: Account Expired and Account Locked
Hello Mike, You are right the Win32::AdminMisc is not standard with ActivePerl. I got it via PPM install Win32-AdminMisc > Hello. > > Thank you very much for your contribution. We have rolled most of it into the > base code, and it will appear in the next release. > > However, we note that some of your code uses Win32::AdminMisc, which does not > seem to be standard part of the ActiveState perl distribution (it used to be > part of the standard Win32 libs, even though it overlapped to some extent with > NetAdmin) > Is Win32::AdminMisc now standard? > > > We too are very surprised that there is no other way to validate a > username/password. I wish it was different. > > Thanks again for your code. > Cheers. > [...] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AuthBy NT: Account Expired and Account Locked
Hello,
I noticed that Radiator did not detect when an account is Expired or Locked
(this is different from disabled) in the NT SAM
May I suggest the following addition to the AuthNT.pm module:
require Win32::AdminMisc;
import Win32::AdminMisc;
# #
# insert this part on line 156 in AuthNT.pm (just after the "Account is
disabled" condition )
# #
elsif ($Getflags & &UF_LOCKOUT)
{
return ($main::REJECT, "Account is Locked");
}
my %HashMiscAttributes;
if ( Win32::AdminMisc::UserGetMiscAttributes($self->{DomainController},
$user_name, \%HashMiscAttributes))
{
if ($HashMiscAttributes{USER_ACCT_EXPIRES} < time)
{
return ($main::REJECT, "Account is Expired");
}
}
# ##
Although this addition will make AuthNT more usefull, I feel It would be
much cleaner to find a way to send the UserName/Password combo to the
DomainController in order to do the checking internally.
I am very surprised there are no functions available to authenticate a user
against NT SAM
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthBy NT and Global Group ?
While reading the "AuthBy NT" source code, I noticed the use of Win32::NetAdmin::GroupIsMember instead of Win32::NetAdmin::LocalGroupIsMember That lead me to believe that Radiator is checking in the Global Groups of the DomainControler I checked this theory on an NT box and it seems to be authenticating against Global Domain Groups. Well since this was what I needed, I feel quite happy with this behavior so I will not make any further tests (i.e. check if it applies to Local Groups ...) A Big thank you to the Radiator team for this great product. > > > > Is is possible to authenticate NT passwords with Global Groups (instead of > > Local Group) > > I would like to divide several groups of users according to their global > > Group affiliation. > > Sorry, only Local groups are supported. > > Cheers. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AuthBy NT and Global Group ?
Hello, Is is possible to authenticate NT passwords with Global Groups (instead of Local Group) I would like to divide several groups of users according to their global Group affiliation. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Sending Username and ANI Information with SQL
Hello, Is it possible to send the ANI information along with the username (%n) in the AuthSelect query ? Currently I am using something like: AuthSelectSelect Password From MyUsers Where LoginName = '%n' I would like to use something like: AuthSelect Select PAssword From MyUsers Where LoginName = '%n' AND CallerID = '%ANI' === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
