search

FreeRADIUS / pam_radius

This is the PAM to RADIUS authentication module. It allows any Linux, OSX or Solaris machine to become a RADIUS client for authentication and password change requests.
GNU General Public License v2.0
102 stars 90 forks source link

pam_radius_auth sends garbage password on initial request when skip_passwd is set #27

Closed itvirta closed 7 years ago

itvirta commented 7 years ago

If skip_passwd'is set pam_radius_auth sends a mangled password in the initial query (the one where it does not prompt the user for one). I expected an empty one, based on the documentation.

FreeRADIUS 2.2.8 (Ubuntu package:2.2.8+dfsg-0.1build2 on x86_64-pc-linux-gnu), Ubuntu 16.04, Linux 4.4.0. pam_radius_auth 1.4.0 compiled from the tarball at http://freeradius.org/pam_radius_auth/

Test run:

# echo -en 'client localhost {\n ipaddr = 127.0.01\n secret = xxx\n nastype = other\n}\n' > clients.conf
# echo "127.0.0.1  xxx  3" > /etc/pam_radius_auth.conf
# echo "auth required pam_radius_auth-1.4.0.so debug skip_passwd conf=/etc/pam_radius_auth.conf" > /etc/pam.d/sshd
# freeradius -X
[...]
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 47890, id=61, length=89
    User-Name = "testuser"
    User-Password = "V@\010\351+-\277s&\346\n\2369﫴"
    NAS-IP-Address = 127.0.1.1
    NAS-Identifier = "sshd"
    NAS-Port = 10942
    NAS-Port-Type = Virtual
    Service-Type = Authenticate-Only
    Calling-Station-Id = "127.0.0.1"

If I remove skip_passwd from the PAM config, the module prompts for the password, and it's sent as expected, empty or not. 

# echo "auth required pam_radius_auth-1.4.0.so debug conf=/etc/pam_radius_auth.conf" > /etc/pam.d/sshd
# service ssh restart
# freeradius -X
[...]
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 35777, id=49, length=89
    User-Name = "testuser"
    User-Password = ""
    NAS-IP-Address = 127.0.1.1
    NAS-Identifier = "sshd"
    NAS-Port = 10967
    NAS-Port-Type = Virtual
    Service-Type = Authenticate-Only
    Calling-Station-Id = "127.0.0.1"
itvirta commented 7 years ago

As far as I can tell, skip_passwd is tested at line 1164, and if it is set, the password is left pointing at NULL. build_radius_packet seems to give the empty string to add_password if password == NULL lines 731-370, so this seems ok. Though the request authenticator isn't generated when password == NULL either (line 722).

The other place I can find where password is checked against zero, is in talk_radius, on line 827, which seems to overwrite the request authenticator if password == NULL, apparently assuming that it must be an accounting request in that case generating the authenticator based on that.

Explicitly setting password to an empty string if skip_passwd is set fixes the issue. Tested with the attached patch applied.

pam-radius-auth-skip_passwd.txt