FreeRADIUS/pam_radius

pam_radius_auth sends garbage password on initial request when skip_passwd is set

itvirta opened this issue · 1 comments

If skip_passwd'is set pam_radius_auth sends a mangled password in the initial query (the one where it does not prompt the user for one). I expected an empty one, based on the documentation.

FreeRADIUS 2.2.8 (Ubuntu package: 2.2.8+dfsg-0.1build2 on x86_64-pc-linux-gnu), Ubuntu 16.04, Linux 4.4.0.
pam_radius_auth 1.4.0 compiled from the tarball at http://freeradius.org/pam_radius_auth/

Test run:

# echo -en 'client localhost {\n ipaddr = 127.0.01\n secret = xxx\n nastype = other\n}\n' > clients.conf
# echo "127.0.0.1  xxx  3" > /etc/pam_radius_auth.conf
# echo "auth required pam_radius_auth-1.4.0.so debug skip_passwd conf=/etc/pam_radius_auth.conf" > /etc/pam.d/sshd
# freeradius -X
[...]
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 47890, id=61, length=89
	User-Name = "testuser"
	User-Password = "V@\010\351+-\277s&\346\n\2369﫴"
	NAS-IP-Address = 127.0.1.1
	NAS-Identifier = "sshd"
	NAS-Port = 10942
	NAS-Port-Type = Virtual
	Service-Type = Authenticate-Only
	Calling-Station-Id = "127.0.0.1"

If I remove skip_passwd from the PAM config, the module prompts for the password, and it's sent as expected, empty or not.

# echo "auth required pam_radius_auth-1.4.0.so debug conf=/etc/pam_radius_auth.conf" > /etc/pam.d/sshd
# service ssh restart
# freeradius -X
[...]
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 35777, id=49, length=89
	User-Name = "testuser"
	User-Password = ""
	NAS-IP-Address = 127.0.1.1
	NAS-Identifier = "sshd"
	NAS-Port = 10967
	NAS-Port-Type = Virtual
	Service-Type = Authenticate-Only
	Calling-Station-Id = "127.0.0.1"

As far as I can tell, skip_passwd is tested at line 1164, and if it is set, the password is left pointing at NULL.
build_radius_packet seems to give the empty string to add_password if password == NULL lines 731-370, so this seems ok. Though the request authenticator isn't generated when password == NULL either (line 722).

The other place I can find where password is checked against zero, is in talk_radius, on line 827, which seems to overwrite the request authenticator if password == NULL, apparently assuming that it must be an accounting request in that case generating the authenticator based on that.

Explicitly setting password to an empty string if skip_passwd is set fixes the issue. Tested with the attached patch applied.

pam-radius-auth-skip_passwd.txt