Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) Radius "bug"?
> Anyway, we are using Ascend's version of radiusd via Solaris, and I've found
> that if I enter a username including a space, radius will simply ignore the
> space and everything after it...but it still shows up in all of the log files
> and accounting records. In other words, if my username was "foo", and
> I entered "foo is the coolest user at this site" as my username, and
> gave my correct password, I would be authenticated just fine, and that
> whole sentence would show up in the radius accounting logs and such.
Let me guess, you have a DEFAULT entry with a check-item of Password="UNIX".
Right? If so, then what you are seeing is a Solaris (System V) feature, not
a RADIUS bug.
To prove this, telnet to your Solaris system and login as "foo is the coolest
user at this site". You will succeed. This is because System V UNIX allows
you to pass environment variables over at the end of the user name string.
If you were to explicitly list your users in the users file and remove the
DEFAULT entry then the users could not do this, because the User-Name string
"foo is ..." would not match the "foo" in the users file. But since you said
"blindly trust the UNIX password file" (by using DEFAULT), radiusd does.
You can certainly change the behavior of radiusd to either (a) throw away
any information after white space in the User-Name or (b) reject any user
who has white space in the User-Name.
Note that this "feature" does not reduce your security in any way. The user
was authenticated using the information in the UNIX password file. The only
problem is that it is more difficult to do billing, if you key off the
User-Name and do not prepare for spaces in the User-Name.
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>