Closed itvirta closed 7 years ago
As far as I can tell, skip_passwd
is tested at line 1164, and if it is set, the password
is left pointing at NULL
.
build_radius_packet
seems to give the empty string to add_password
if password == NULL
lines 731-370, so this seems ok. Though the request authenticator isn't generated when password == NULL
either (line 722).
The other place I can find where password
is checked against zero, is in talk_radius
, on line 827, which seems to overwrite the request authenticator if password == NULL
, apparently assuming that it must be an accounting request in that case generating the authenticator based on that.
Explicitly setting password
to an empty string if skip_passwd
is set fixes the issue. Tested with the attached patch applied.
If
skip_passwd
'is setpam_radius_auth
sends a mangled password in the initial query (the one where it does not prompt the user for one). I expected an empty one, based on the documentation.FreeRADIUS 2.2.8 (Ubuntu package:
2.2.8+dfsg-0.1build2
onx86_64-pc-linux-gnu
), Ubuntu 16.04, Linux 4.4.0. pam_radius_auth 1.4.0 compiled from the tarball at http://freeradius.org/pam_radius_auth/Test run:
If I remove
skip_passwd
from the PAM config, the module prompts for the password, and it's sent as expected, empty or not.