pam_radius_auth sends garbage password on initial request when skip_passwd is set
itvirta opened this issue · 1 comments
If skip_passwd
'is set pam_radius_auth
sends a mangled password in the initial query (the one where it does not prompt the user for one). I expected an empty one, based on the documentation.
FreeRADIUS 2.2.8 (Ubuntu package: 2.2.8+dfsg-0.1build2
on x86_64-pc-linux-gnu
), Ubuntu 16.04, Linux 4.4.0.
pam_radius_auth 1.4.0 compiled from the tarball at http://freeradius.org/pam_radius_auth/
Test run:
# echo -en 'client localhost {\n ipaddr = 127.0.01\n secret = xxx\n nastype = other\n}\n' > clients.conf
# echo "127.0.0.1 xxx 3" > /etc/pam_radius_auth.conf
# echo "auth required pam_radius_auth-1.4.0.so debug skip_passwd conf=/etc/pam_radius_auth.conf" > /etc/pam.d/sshd
# freeradius -X
[...]
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 47890, id=61, length=89
User-Name = "testuser"
User-Password = "V@\010\351+-\277s&\346\n\2369"
NAS-IP-Address = 127.0.1.1
NAS-Identifier = "sshd"
NAS-Port = 10942
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "127.0.0.1"
If I remove skip_passwd
from the PAM config, the module prompts for the password, and it's sent as expected, empty or not.
# echo "auth required pam_radius_auth-1.4.0.so debug conf=/etc/pam_radius_auth.conf" > /etc/pam.d/sshd
# service ssh restart
# freeradius -X
[...]
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 35777, id=49, length=89
User-Name = "testuser"
User-Password = ""
NAS-IP-Address = 127.0.1.1
NAS-Identifier = "sshd"
NAS-Port = 10967
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "127.0.0.1"
As far as I can tell, skip_passwd
is tested at line 1164, and if it is set, the password
is left pointing at NULL
.
build_radius_packet
seems to give the empty string to add_password
if password == NULL
lines 731-370, so this seems ok. Though the request authenticator isn't generated when password == NULL
either (line 722).
The other place I can find where password
is checked against zero, is in talk_radius
, on line 827, which seems to overwrite the request authenticator if password == NULL
, apparently assuming that it must be an accounting request in that case generating the authenticator based on that.
Explicitly setting password
to an empty string if skip_passwd
is set fixes the issue. Tested with the attached patch applied.