Hello Brian -
On Sat, 22 Apr 2000, Brian Morris wrote:
> I have not investigated this too far yet but I thought it important enough
> to alert others of it now...
>
> I have discovered a fault in the setup of /our/ Radiator configuration where
> users may successfully authenticate to our SQL database with an INVALID
> username.
>
> The error occurs when the user places an apostrophy somewhere in their
> username - even though there is not one in their user record on our system,
> Radiator will still let them in. (eg: Username johnsmith logs in as
> johnsmit'h )
>
> The accounting record is written as johnsmit'h so effectively the user does
> not get billed for their usage.
>
> We use the standard rewriteusername to strip the realm (RewriteUsername
> s/^([^@]+).*/$1/ ) so something could be put into there to strip
> apostrophies as well but this is not really a 'solution' (Anyone want to
> supply one for now anyway?)
>
> For reference our authselect looks something like this ... AuthSelect
> select PASSWORD from SUBSCRIBERS where USERNAME='%n'
>
> I thought that others may also want to know about this.
>
Hmmmm - yes. The routine Radius::AuthSQL::findUser does indeed strip single
quotes out of the username string as a defence mechanism:
# Now might be a good time to make sure there are no bogus
# characters in the user name, else the select statment could get
# confused. Special offenders are ' and ). Both together in a
# username can make MSSQL hang.
$name =~ s/'//g;
This is why you are seeing the problem.
If you simply wish to Reject users who might mistakenly type their username in
this way, you could do something like this:
# configuration to Reject users who type single quotes ("'") in their username
# add something like this to your existing configuration
<AuthBy FILE>
Identifier RejectUsers
Filename %D/reject-users
</AuthBy>
<Handler User-Name = /'/>
AuthBy RejectUser
</Handler>
# if you are currently using Realms, change them to Handlers
# <Realm .....> -> <Handler Realm = ....>
.....
and in the file %D/reject-users
# file %D/reject-users
DEFAULT Auth-Type = Reject
Thanks for pointing this out - we will add a note to the AuthBy SQL section of
the manual indicating this behaviour.
regards
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
