2
2
* auth.c User authentication.
4
* Version: $Id: auth.c,v 1.178 2008/04/18 09:29:49 aland Exp $
6
6
* This program is free software; you can redistribute it and/or modify
7
7
* it under the terms of the GNU General Public License as published by
25
25
#include <freeradius-devel/ident.h>
26
RCSID("$Id: auth.c,v 1.178 2008/04/18 09:29:49 aland Exp $")
28
28
#include <freeradius-devel/radiusd.h>
29
29
#include <freeradius-devel/modules.h>
60
60
* Make sure user/pass are clean
61
61
* and then log them
63
static int rad_authlog(const char *msg, REQUEST *request, int goodpass) {
63
static int rad_authlog(const char *msg, REQUEST *request, int goodpass)
66
const char *extra_msg = NULL;
65
67
char clean_password[1024];
66
68
char clean_username[1024];
68
71
VALUE_PAIR *username = NULL;
70
73
if (!request->root->log_auth) {
86
89
if (username == NULL) {
87
90
strcpy(clean_username, "<no User-Name attribute>");
89
librad_safeprint((char *)username->vp_strvalue,
92
fr_print_string((char *)username->vp_strvalue,
91
94
clean_username, sizeof(clean_username));
110
113
} else if (pairfind(request->packet->vps, PW_CHAP_PASSWORD)) {
111
114
strcpy(clean_password, "<CHAP-Password>");
113
librad_safeprint((char *)request->password->vp_strvalue,
116
fr_print_string((char *)request->password->vp_strvalue,
114
117
request->password->length,
115
118
clean_password, sizeof(clean_password));
120
radlog(L_AUTH, "%s: [%s%s%s] (%s)",
123
request->root->log_auth_goodpass ? "/" : "",
124
request->root->log_auth_goodpass ? clean_password : "",
125
auth_name(buf, sizeof(buf), request, 1));
127
radlog(L_AUTH, "%s: [%s%s%s] (%s)",
130
request->root->log_auth_badpass ? "/" : "",
131
request->root->log_auth_badpass ? clean_password : "",
132
auth_name(buf, sizeof(buf), request, 1));
123
logit = request->root->log_auth_goodpass;
124
extra_msg = request->root->auth_goodpass_msg;
126
logit = request->root->log_auth_badpass;
127
extra_msg = request->root->auth_badpass_msg;
132
radius_xlat(extra + 1, sizeof(extra) - 1, extra_msg, request,
138
radlog_request(L_AUTH, 0, request, "%s: [%s%s%s] (%s)%s",
142
logit ? clean_password : "",
143
auth_name(buf, sizeof(buf), request, 1),
166
177
while(((auth_type_pair = pairfind(cur_config_item, PW_AUTH_TYPE))) != NULL) {
167
178
auth_type = auth_type_pair->vp_integer;
168
179
auth_type_count++;
180
DICT_VALUE *dv = dict_valbyattr(auth_type_pair->attribute,
181
auth_type_pair->vp_integer);
170
DEBUG2(" rad_check_password: Found Auth-Type %s",
171
auth_type_pair->vp_strvalue);
183
RDEBUG2("Found Auth-Type = %s",
184
(dv != NULL) ? dv->name : "?");
172
185
cur_config_item = auth_type_pair->next;
174
187
if (auth_type == PW_AUTHTYPE_REJECT) {
175
DEBUG2(" rad_check_password: Auth-Type = Reject, rejecting user");
188
RDEBUG2("Auth-Type = Reject, rejecting user");
180
193
if (( auth_type_count > 1) && (debug_flag)) {
181
radlog(L_ERR, "Warning: Found %d auth-types on request for user '%s'",
194
radlog_request(L_ERR, 0, request, "Warning: Found %d auth-types on request for user '%s'",
182
195
auth_type_count, request->username->vp_strvalue);
188
201
* that means it is accepted and we do no further
191
if ((auth_type == PW_AUTHTYPE_ACCEPT) || (request->proxy)) {
192
DEBUG2(" rad_check_password: Auth-Type = Accept, accepting the user");
204
if ((auth_type == PW_AUTHTYPE_ACCEPT)
209
RDEBUG2("Auth-Type = Accept, accepting the user");
203
220
if (password_pair) {
206
DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
207
DEBUG("!!! Replacing User-Password in config items with Cleartext-Password. !!!");
208
DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
209
DEBUG("!!! Please update your configuration so that the \"known good\" !!!");
210
DEBUG("!!! clear text password is in Cleartext-Password, and not in User-Password. !!!");
211
DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
223
RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
224
RDEBUG("!!! Replacing User-Password in config items with Cleartext-Password. !!!");
225
RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
226
RDEBUG("!!! Please update your configuration so that the \"known good\" !!!");
227
RDEBUG("!!! clear text password is in Cleartext-Password, and not in User-Password. !!!");
228
RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
212
229
password_pair->attribute = PW_CLEARTEXT_PASSWORD;
213
230
da = dict_attrbyvalue(PW_CLEARTEXT_PASSWORD);
215
radlog(L_ERR, "FATAL: You broke the dictionaries. Please use the default dictionaries!");
232
radlog_request(L_ERR, 0, request, "FATAL: You broke the dictionaries. Please use the default dictionaries!");
246
263
* This is fail-safe.
248
DEBUG2("auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user");
265
RDEBUG2("No authenticate method (Auth-Type) configuration found for the request: Rejecting the user");
253
270
switch(auth_type) {
256
271
case PW_AUTHTYPE_CRYPT:
272
RDEBUG2("WARNING: Please update your configuration, and remove 'Auth-Type = Crypt'");
273
RDEBUG2("WARNING: Use the PAP module instead.");
258
276
* Find the password sent by the user. It
259
277
* SHOULD be there, if it's not
262
280
auth_item = request->password;
263
281
if (auth_item == NULL) {
264
DEBUG2("auth: No User-Password or CHAP-Password attribute in the request");
282
RDEBUG2("No User-Password or CHAP-Password attribute in the request");
268
DEBUG2("auth: type Crypt");
269
286
if (password_pair == NULL) {
270
DEBUG2("No Crypt-Password configured for the user");
287
RDEBUG2("No Crypt-Password configured for the user");
271
288
rad_authlog("Login incorrect "
272
289
"(No Crypt-Password configured for the user)", request, 0);
285
302
case PW_AUTHTYPE_LOCAL:
286
DEBUG2("auth: type Local");
303
RDEBUG2("WARNING: Please update your configuration, and remove 'Auth-Type = Local'");
304
RDEBUG2("WARNING: Use the PAP or CHAP modules instead.");
289
307
* Find the password sent by the user. It
295
313
auth_item = pairfind(request->packet->vps,
296
314
PW_CHAP_PASSWORD);
297
315
if (!auth_item) {
298
DEBUG2("auth: No User-Password or CHAP-Password attribute in the request");
316
RDEBUG2("No User-Password or CHAP-Password attribute in the request.");
317
RDEBUG2("Cannot perform authentication.");
303
322
* Plain text password.
305
324
if (password_pair == NULL) {
306
DEBUG2("auth: No password configured for the user");
325
RDEBUG2("No \"known good\" password was configured for the user.");
326
RDEBUG2("As a result, we cannot authenticate the user.");
307
327
rad_authlog("Login incorrect "
308
328
"(No password configured for the user)", request, 0);
315
335
if (auth_item->attribute == PW_USER_PASSWORD) {
316
336
if (strcmp((char *)password_pair->vp_strvalue,
317
337
(char *)auth_item->vp_strvalue) != 0) {
318
DEBUG2("auth: user supplied User-Password does NOT match local User-Password");
338
RDEBUG2("User-Password in the request does NOT match \"known good\" password.");
321
DEBUG2("auth: user supplied User-Password matches local User-Password");
341
RDEBUG2("User-Password in the request is correct.");
324
344
} else if (auth_item->attribute != PW_CHAP_PASSWORD) {
325
DEBUG2("The user did not supply a User-Password or a CHAP-Password attribute");
345
RDEBUG2("The user did not supply a User-Password or a CHAP-Password attribute");
326
346
rad_authlog("Login incorrect "
327
347
"(no User-Password or CHAP-Password attribute)", request, 0);
337
357
if (memcmp(my_chap + 1, auth_item->vp_strvalue + 1,
338
358
CHAP_VALUE_LENGTH) != 0) {
339
DEBUG2("auth: user supplied CHAP-Password does NOT match local User-Password");
359
RDEBUG2("CHAP-Password is incorrect.");
342
DEBUG2("auth: user supplied CHAP-Password matches local User-Password");
362
RDEBUG2("CHAP-Password is correct.");
345
dval = dict_valbyattr(PW_AUTH_TYPE, auth_type);
347
DEBUG2("auth: type \"%s\"", dval->name);
349
DEBUG2("auth: type UNKNOWN-%d", auth_type);
353
366
* See if there is a module that handles
354
367
* this type, and turn the RLM_ return
403
416
vp = pairfind(request->config_items, PW_POST_AUTH_TYPE);
405
DEBUG2(" Found Post-Auth-Type %s", vp->vp_strvalue);
418
RDEBUG2("Using Post-Auth-Type %s", vp->vp_strvalue);
406
419
postauth_type = vp->vp_integer;
408
421
result = module_post_auth(postauth_type, request);
446
459
int rad_authenticate(REQUEST *request)
448
461
VALUE_PAIR *namepair;
462
#ifdef WITH_SESSION_MGMT
449
463
VALUE_PAIR *check_item;
450
VALUE_PAIR *auth_item;
465
VALUE_PAIR *auth_item = NULL;
451
466
VALUE_PAIR *module_msg;
452
467
VALUE_PAIR *tmp = NULL;
454
char umsg[MAX_STRING_LEN + 1];
455
const char *user_msg = NULL;
456
469
const char *password;
458
470
char autz_retry = 0;
459
471
int autz_type = 0;
464
477
* If this request got proxied to another server, we need
465
478
* to check whether it authenticated the request or not.
491
505
* done by the server, by rejecting them here.
493
507
case PW_AUTHENTICATION_REJECT:
495
508
rad_authlog("Login incorrect (Home Server says so)",
497
510
request->reply->code = PW_AUTHENTICATION_REJECT;
498
511
return RLM_MODULE_REJECT;
514
rad_authlog("Login incorrect (Home Server failed to respond)",
516
return RLM_MODULE_REJECT;
503
522
* Get the username from the request.
572
591
if (!autz_retry) {
573
592
tmp = pairfind(request->config_items, PW_AUTZ_TYPE);
575
DEBUG2(" Found Autz-Type %s", tmp->vp_strvalue);
594
RDEBUG2("Using Autz-Type %s", tmp->vp_strvalue);
576
595
autz_type = tmp->vp_integer;
585
604
* modules has decided that a proxy should be used. If
586
605
* so, get out of here and send the packet.
588
if ((request->proxy == NULL) &&
609
(request->proxy == NULL) &&
589
611
((tmp = pairfind(request->config_items, PW_PROXY_TO_REALM)) != NULL)) {
605
627
* *the* LOCAL realm.
607
629
if (realm &&(strcmp(realm->name, "LOCAL") != 0)) {
608
DEBUG2(" WARNING: You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling invalid proxy request.", realm->name);
630
RDEBUG2("WARNING: You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling proxy request.", realm->name);
612
DEBUG2(" WARNING: You set Proxy-To-Realm = %s, but the realm does not exist! Cancelling invalid proxy request.", tmp->vp_strvalue);
634
RDEBUG2("WARNING: You set Proxy-To-Realm = %s, but the realm does not exist! Cancelling invalid proxy request.", tmp->vp_strvalue);
617
643
* Perhaps there is a Stripped-User-Name now.
637
663
* wants to send back.
639
665
if (result < 0) {
640
DEBUG2("auth: Failed to validate the user.");
666
RDEBUG2("Failed to authenticate the user.");
641
667
request->reply->code = PW_AUTHENTICATION_REJECT;
643
669
if ((module_msg = pairfind(request->packet->vps,PW_MODULE_FAILURE_MESSAGE)) != NULL){
695
#ifdef WITH_SESSION_MGMT
669
696
if (result >= 0 &&
670
697
(check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE)) != NULL) {
671
698
int r, session_type = 0;
700
char umsg[MAX_STRING_LEN + 1];
701
const char *user_msg = NULL;
673
703
tmp = pairfind(request->config_items, PW_SESSION_TYPE);
675
DEBUG2(" Found Session-Type %s", tmp->vp_strvalue);
705
RDEBUG2("Using Session-Type %s", tmp->vp_strvalue);
676
706
session_type = tmp->vp_integer;
737
* We might need this later. The 'password' string
738
* is NOT used anywhere below here, except for logging,
739
* so it should be safe...
741
if ((auth_item != NULL) && (auth_item->attribute == PW_CHAP_PASSWORD)) {
742
password = "CHAP-Password";
746
768
* Add the port number to the Framed-IP-Address if
747
769
* vp->addport is set.
761
783
tmp->flags.addport = 0;
762
784
ip_ntoa(tmp->vp_strvalue, tmp->vp_integer);
764
DEBUG2("WARNING: No NAS-Port attribute in request. CANNOT return a Framed-IP-Address + NAS-Port.\n");
786
RDEBUG2("WARNING: No NAS-Port attribute in request. CANNOT return a Framed-IP-Address + NAS-Port.\n");
765
787
pairdelete(&request->reply->vps, PW_FRAMED_IP_ADDRESS);
added
removed
src/main/auth.c
