2 * auth.c User authentication.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2000,2006 The FreeRADIUS server project
21 * Copyright 2000 Miquel van Smoorenburg <miquels@cistron.nl>
22 * Copyright 2000 Jeff Carneal <jeff@apex.net>
26 #include <freeradius-devel/radiusd.h>
27 #include <freeradius-devel/modules.h>
28 #include <freeradius-devel/state.h>
29 #include <freeradius-devel/rad_assert.h>
34 * Return a short string showing the terminal server, port
35 * and calling station ID.
37 char *auth_name(char *buf, size_t buflen, REQUEST *request, bool do_cli)
41 uint32_t port = 0; /* RFC 2865 NAS-Port is 4 bytes */
44 if ((cli = fr_pair_find_by_num(request->packet->vps, PW_CALLING_STATION_ID, 0, TAG_ANY)) == NULL) {
48 if ((pair = fr_pair_find_by_num(request->packet->vps, PW_NAS_PORT, 0, TAG_ANY)) != NULL) {
49 port = pair->vp_integer;
52 if (request->packet->dst_port == 0) {
53 if (fr_pair_find_by_num(request->packet->vps, PW_FREERADIUS_PROXIED_TO, 0, TAG_ANY)) {
54 tls = " via TLS tunnel";
56 tls = " via proxy to virtual server";
60 snprintf(buf, buflen, "from client %.128s port %u%s%.128s%s",
61 request->client->shortname, port,
62 (do_cli ? " cli " : ""), (do_cli ? cli->vp_strvalue : ""),
71 * Make sure user/pass are clean
74 static int rad_authlog(char const *msg, REQUEST *request, int goodpass)
77 char const *extra_msg = NULL;
78 char clean_password[1024];
79 char clean_username[1024];
83 VALUE_PAIR *username = NULL;
85 if (!request->root->log_auth) {
90 * Get the correct username based on the configured value
92 if (!log_stripped_names) {
93 username = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
95 username = request->username;
99 * Clean up the username
101 if (username == NULL) {
102 strcpy(clean_username, "<no User-Name attribute>");
104 fr_prints(clean_username, sizeof(clean_username), username->vp_strvalue, username->vp_length, '\0');
108 * Clean up the password
110 if (request->root->log_auth_badpass || request->root->log_auth_goodpass) {
111 if (!request->password) {
112 VALUE_PAIR *auth_type;
114 auth_type = fr_pair_find_by_num(request->config, PW_AUTH_TYPE, 0, TAG_ANY);
116 snprintf(clean_password, sizeof(clean_password),
117 "<via Auth-Type = %s>",
118 dict_valnamebyattr(PW_AUTH_TYPE, 0,
119 auth_type->vp_integer));
121 strcpy(clean_password, "<no User-Password attribute>");
123 } else if (fr_pair_find_by_num(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) {
124 strcpy(clean_password, "<CHAP-Password>");
126 fr_prints(clean_password, sizeof(clean_password),
127 request->password->vp_strvalue, request->password->vp_length, '\0');
132 logit = request->root->log_auth_goodpass;
133 extra_msg = request->root->auth_goodpass_msg;
135 logit = request->root->log_auth_badpass;
136 extra_msg = request->root->auth_badpass_msg;
142 if (radius_xlat(p, sizeof(extra) - 1, request, extra_msg, NULL, NULL) < 0) {
149 RAUTH("%s: [%s%s%s] (%s)%s",
153 logit ? clean_password : "",
154 auth_name(buf, sizeof(buf), request, 1),
165 * -2 Rejected (Auth-Type = Reject, send Port-Message back)
166 * 1 End check & return, don't reply
168 * NOTE: NOT the same as the RLM_ values !
170 static int CC_HINT(nonnull) rad_check_password(REQUEST *request)
173 VALUE_PAIR *auth_type_pair;
176 int auth_type_count = 0;
179 * Look for matching check items. We skip the whole lot
180 * if the authentication type is PW_AUTH_TYPE_ACCEPT or
181 * PW_AUTH_TYPE_REJECT.
183 fr_cursor_init(&cursor, &request->config);
184 while ((auth_type_pair = fr_cursor_next_by_num(&cursor, PW_AUTH_TYPE, 0, TAG_ANY))) {
185 auth_type = auth_type_pair->vp_integer;
188 RDEBUG2("Found Auth-Type = %s", dict_valnamebyattr(PW_AUTH_TYPE, 0, auth_type));
189 if (auth_type == PW_AUTH_TYPE_REJECT) {
190 RDEBUG2("Auth-Type = Reject, rejecting user");
197 * Warn if more than one Auth-Type was found, because only the last
198 * one found will actually be used.
200 if ((auth_type_count > 1) && (rad_debug_lvl)) {
201 RERROR("Warning: Found %d auth-types on request for user '%s'",
202 auth_type_count, request->username->vp_strvalue);
206 * This means we have a proxy reply or an accept and it wasn't
207 * rejected in the above loop. So that means it is accepted and we
208 * do no further authentication.
210 if ((auth_type == PW_AUTH_TYPE_ACCEPT)
215 RDEBUG2("Auth-Type = Accept, accepting the user");
220 * Check that Auth-Type has been set, and reject if not.
222 * Do quick checks to see if Cleartext-Password or Crypt-Password have
223 * been set, and complain if so.
226 if (fr_pair_find_by_num(request->config, PW_CRYPT_PASSWORD, 0, TAG_ANY) != NULL) {
227 RWDEBUG2("Please update your configuration, and remove 'Auth-Type = Crypt'");
228 RWDEBUG2("Use the PAP module instead");
230 else if (fr_pair_find_by_num(request->config, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY) != NULL) {
231 RWDEBUG2("Please update your configuration, and remove 'Auth-Type = Local'");
232 RWDEBUG2("Use the PAP or CHAP modules instead");
236 * The admin hasn't told us how to
237 * authenticate the user, so we reject them!
242 REDEBUG2("No Auth-Type found: rejecting the user via Post-Auth-Type = Reject");
247 * See if there is a module that handles
248 * this Auth-Type, and turn the RLM_ return
249 * status into the values as defined at
250 * the top of this function.
252 result = process_authenticate(auth_type, request);
255 * An authentication module FAIL
256 * return code, or any return code that
257 * is not expected from authentication,
258 * is the same as an explicit REJECT!
260 case RLM_MODULE_FAIL:
261 case RLM_MODULE_INVALID:
262 case RLM_MODULE_NOOP:
263 case RLM_MODULE_NOTFOUND:
264 case RLM_MODULE_REJECT:
265 case RLM_MODULE_UPDATED:
266 case RLM_MODULE_USERLOCK:
275 case RLM_MODULE_HANDLED:
284 * Post-authentication step processes the response before it is
285 * sent to the NAS. It can receive both Access-Accept and Access-Reject
288 int rad_postauth(REQUEST *request)
291 int postauth_type = 0;
294 if (request->reply->code == PW_CODE_ACCESS_CHALLENGE) {
295 fr_pair_delete_by_num(&request->config, PW_POST_AUTH_TYPE, 0, TAG_ANY);
296 vp = pair_make_config("Post-Auth-Type", "Challenge", T_OP_SET);
297 if (!vp) return RLM_MODULE_OK;
299 } else if (request->reply->code == PW_CODE_ACCESS_REJECT) {
300 fr_pair_delete_by_num(&request->config, PW_POST_AUTH_TYPE, 0, TAG_ANY);
301 vp = pair_make_config("Post-Auth-Type", "Reject", T_OP_SET);
302 if (!vp) return RLM_MODULE_OK;
305 vp = fr_pair_find_by_num(request->config, PW_POST_AUTH_TYPE, 0, TAG_ANY);
309 * If a method was chosen, use that.
312 postauth_type = vp->vp_integer;
313 RDEBUG2("Using Post-Auth-Type %s",
314 dict_valnamebyattr(PW_POST_AUTH_TYPE, 0, postauth_type));
317 result = process_post_auth(postauth_type, request);
320 * The module failed, or said to reject the user: Do so.
322 case RLM_MODULE_FAIL:
323 case RLM_MODULE_INVALID:
324 case RLM_MODULE_REJECT:
325 case RLM_MODULE_USERLOCK:
328 * We WERE going to have a nice reply, but
329 * something went wrong. So we've got to run
330 * Post-Auth-Type Reject.
332 if (request->reply->code != PW_CODE_ACCESS_REJECT) {
333 RDEBUG("Using Post-Auth-Type Reject");
335 process_post_auth(PW_POST_AUTH_TYPE_REJECT, request);
338 fr_state_discard(request, request->packet);
339 result = RLM_MODULE_REJECT;
342 * The module handled the request, cancel the reply.
344 case RLM_MODULE_HANDLED:
348 * The module had a number of OK return codes.
350 case RLM_MODULE_NOOP:
351 case RLM_MODULE_NOTFOUND:
353 case RLM_MODULE_UPDATED:
354 result = RLM_MODULE_OK;
356 if (request->reply->code == PW_CODE_ACCESS_CHALLENGE) {
357 fr_state_put_vps(request, request->packet, request->reply);
360 fr_state_discard(request, request->packet);
366 * Rejects during authorize, etc. are handled by the
367 * earlier code, which logs a reason for the rejection.
368 * If the packet is rejected in post-auth, we need to log
369 * that as a separate reason.
371 if (result == RLM_MODULE_REJECT) {
372 if (request->reply->code != RLM_MODULE_REJECT) {
373 rad_authlog("Rejected in post-auth", request, 0);
375 request->reply->code = PW_CODE_ACCESS_REJECT;
379 * If we're still accepting the user, say so.
381 if (request->reply->code == PW_CODE_ACCESS_ACCEPT) {
382 if ((vp = fr_pair_find_by_num(request->packet->vps, PW_MODULE_SUCCESS_MESSAGE, 0, TAG_ANY)) != NULL) {
383 char msg[MAX_STRING_LEN+12];
385 snprintf(msg, sizeof(msg), "Login OK (%s)",
387 rad_authlog(msg, request, 1);
389 rad_authlog("Login OK", request, 1);
397 * Process and reply to an authentication request
399 * The return value of this function isn't actually used right now, so
400 * it's not entirely clear if it is returning the right things. --Pac.
402 int rad_authenticate(REQUEST *request)
404 #ifdef WITH_SESSION_MGMT
405 VALUE_PAIR *check_item;
407 VALUE_PAIR *module_msg;
408 VALUE_PAIR *tmp = NULL;
415 * If this request got proxied to another server, we need
416 * to check whether it authenticated the request or not.
418 * request->proxy gets set only AFTER authorization, so
419 * it's safe to check it here. If it exists, it means
420 * we're doing a second pass through rad_authenticate().
422 if (request->proxy) {
425 if (request->proxy_reply) code = request->proxy_reply->code;
429 * Reply of ACCEPT means accept, thus set Auth-Type
432 case PW_CODE_ACCESS_ACCEPT:
433 tmp = radius_pair_create(request,
436 if (tmp) tmp->vp_integer = PW_AUTH_TYPE_ACCEPT;
440 * Challenges are punted back to the NAS without any
441 * further processing.
443 case PW_CODE_ACCESS_CHALLENGE:
444 request->reply->code = PW_CODE_ACCESS_CHALLENGE;
445 fr_state_put_vps(request, request->packet, request->reply);
446 return RLM_MODULE_OK;
449 * ALL other replies mean reject. (this is fail-safe)
451 * Do NOT do any authorization or authentication. They
452 * are being rejected, so we minimize the amount of work
453 * done by the server, by rejecting them here.
455 case PW_CODE_ACCESS_REJECT:
456 rad_authlog("Login incorrect (Home Server says so)",
458 request->reply->code = PW_CODE_ACCESS_REJECT;
459 fr_state_discard(request, request->packet);
460 return RLM_MODULE_REJECT;
463 rad_authlog("Login incorrect (Home Server failed to respond)",
465 fr_state_discard(request, request->packet);
466 return RLM_MODULE_REJECT;
471 * Look for, and cache, passwords.
473 if (!request->password) {
474 request->password = fr_pair_find_by_num(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
476 if (!request->password) {
477 request->password = fr_pair_find_by_num(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY);
481 * Grab the VPS associated with the State attribute.
483 fr_state_get_vps(request, request->packet);
486 * Get the user's authorization information from the database
489 result = process_authorize(autz_type, request);
491 case RLM_MODULE_NOOP:
492 case RLM_MODULE_NOTFOUND:
494 case RLM_MODULE_UPDATED:
496 case RLM_MODULE_HANDLED:
498 case RLM_MODULE_FAIL:
499 case RLM_MODULE_INVALID:
500 case RLM_MODULE_REJECT:
501 case RLM_MODULE_USERLOCK:
503 if ((module_msg = fr_pair_find_by_num(request->packet->vps, PW_MODULE_FAILURE_MESSAGE, 0, TAG_ANY)) != NULL) {
504 char msg[MAX_STRING_LEN + 16];
505 snprintf(msg, sizeof(msg), "Invalid user (%s)",
506 module_msg->vp_strvalue);
507 rad_authlog(msg,request,0);
509 rad_authlog("Invalid user", request, 0);
511 request->reply->code = PW_CODE_ACCESS_REJECT;
515 tmp = fr_pair_find_by_num(request->config, PW_AUTZ_TYPE, 0, TAG_ANY);
517 autz_type = tmp->vp_integer;
518 RDEBUG2("Using Autz-Type %s",
519 dict_valnamebyattr(PW_AUTZ_TYPE, 0, autz_type));
526 * If we haven't already proxied the packet, then check
527 * to see if we should. Maybe one of the authorize
528 * modules has decided that a proxy should be used. If
529 * so, get out of here and send the packet.
533 (request->proxy == NULL) &&
535 ((tmp = fr_pair_find_by_num(request->config, PW_PROXY_TO_REALM, 0, TAG_ANY)) != NULL)) {
538 realm = realm_find2(tmp->vp_strvalue);
541 * Don't authenticate, as the request is going to
544 if (realm && realm->auth_pool) {
545 return RLM_MODULE_OK;
549 * Catch users who set Proxy-To-Realm to a LOCAL
550 * realm (sigh). But don't complain if it is
553 if (realm &&(strcmp(realm->name, "LOCAL") != 0)) {
554 RWDEBUG2("You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling proxy request.", realm->name);
558 RWDEBUG2("You set Proxy-To-Realm = %s, but the realm does not exist! Cancelling invalid proxy request.", tmp->vp_strvalue);
570 result = rad_check_password(request);
572 return RLM_MODULE_HANDLED;
578 * Failed to validate the user.
580 * We PRESUME that the code which failed will clean up
581 * request->reply->vps, to be ONLY the reply items it
582 * wants to send back.
585 RDEBUG2("Failed to authenticate the user");
586 request->reply->code = PW_CODE_ACCESS_REJECT;
588 if ((module_msg = fr_pair_find_by_num(request->packet->vps, PW_MODULE_FAILURE_MESSAGE, 0, TAG_ANY)) != NULL){
589 char msg[MAX_STRING_LEN+19];
591 snprintf(msg, sizeof(msg), "Login incorrect (%s)",
592 module_msg->vp_strvalue);
593 rad_authlog(msg, request, 0);
595 rad_authlog("Login incorrect", request, 0);
598 if (request->password) {
599 VERIFY_VP(request->password);
600 /* double check: maybe the secret is wrong? */
601 if ((rad_debug_lvl > 1) && (request->password->da->attr == PW_USER_PASSWORD)) {
604 p = (uint8_t const *) request->password->vp_strvalue;
608 size = fr_utf8_char(p, -1);
610 RWDEBUG("Unprintable characters in the password. Double-check the "
611 "shared secret on the server and the NAS!");
620 #ifdef WITH_SESSION_MGMT
622 (check_item = fr_pair_find_by_num(request->config, PW_SIMULTANEOUS_USE, 0, TAG_ANY)) != NULL) {
623 int r, session_type = 0;
625 char umsg[MAX_STRING_LEN + 1];
627 tmp = fr_pair_find_by_num(request->config, PW_SESSION_TYPE, 0, TAG_ANY);
629 session_type = tmp->vp_integer;
630 RDEBUG2("Using Session-Type %s",
631 dict_valnamebyattr(PW_SESSION_TYPE, 0, session_type));
635 * User authenticated O.K. Now we have to check
636 * for the Simultaneous-Use parameter.
638 if (request->username &&
639 (r = process_checksimul(session_type, request, check_item->vp_integer)) != 0) {
643 /* Multilink attempt. Check if port-limit > simultaneous-use */
644 VALUE_PAIR *port_limit;
646 if ((port_limit = fr_pair_find_by_num(request->reply->vps, PW_PORT_LIMIT, 0, TAG_ANY)) != NULL &&
647 port_limit->vp_integer > check_item->vp_integer){
648 RDEBUG2("MPP is OK");
653 if (check_item->vp_integer > 1) {
654 snprintf(umsg, sizeof(umsg), "%s (%u)", main_config.denied_msg,
655 check_item->vp_integer);
657 strlcpy(umsg, main_config.denied_msg, sizeof(umsg));
660 request->reply->code = PW_CODE_ACCESS_REJECT;
663 * They're trying to log in too many times.
664 * Remove ALL reply attributes.
666 fr_pair_list_free(&request->reply->vps);
667 pair_make_reply("Reply-Message", umsg, T_OP_SET);
669 snprintf(logstr, sizeof(logstr), "Multiple logins (max %d) %s",
670 check_item->vp_integer,
671 r == 2 ? "[MPP attempt]" : "");
672 rad_authlog(logstr, request, 1);
681 * Result should be >= 0 here - if not, it means the user
682 * is rejected, so we just process post-auth and return.
685 return RLM_MODULE_REJECT;
689 * Set the reply to Access-Accept, if it hasn't already
690 * been set to something. (i.e. Access-Challenge)
692 if (request->reply->code == 0) {
693 request->reply->code = PW_CODE_ACCESS_ACCEPT;
700 * Run a virtual server auth and postauth
703 int rad_virtual_server(REQUEST *request)
708 RDEBUG("Virtual server %s received request", request->server);
709 rdebug_pair_list(L_DBG_LVL_1, request, request->packet->vps, NULL);
711 if (!request->username) {
712 request->username = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
716 * Complain about possible issues related to tunnels.
718 if (request->parent && request->parent->username && request->username) {
720 * Look at the full User-Name with realm.
722 if (request->parent->username->da->attr == PW_STRIPPED_USER_NAME) {
723 vp = fr_pair_find_by_num(request->parent->packet->vps, PW_USER_NAME, 0, TAG_ANY);
724 rad_assert(vp != NULL);
726 vp = request->parent->username;
730 * If the names aren't identical, we do some detailed checks.
732 if (strcmp(vp->vp_strvalue, request->username->vp_strvalue) != 0) {
733 char const *outer, *inner;
735 outer = strchr(vp->vp_strvalue, '@');
738 * If there's no realm, or there's a user identifier before
739 * the realm name, check the user identifier.
741 * It SHOULD be "anonymous", or "anonymous@realm"
744 if ((outer != vp->vp_strvalue) &&
745 ((vp->vp_length < 10) || (memcmp(vp->vp_strvalue, "anonymous@", 10) != 0))) {
746 RWDEBUG("Outer User-Name is not anonymized. User privacy is compromised.");
747 } /* else it is anonymized */
750 * Check when there's no realm, and without the trailing '@'
752 } else if ((vp->vp_length < 9) || (memcmp(vp->vp_strvalue, "anonymous", 9) != 0)) {
753 RWDEBUG("Outer User-Name is not anonymized. User privacy is compromised.");
755 } /* else the user identifier is anonymized */
758 * Look for an inner realm, which may or may not exist.
760 inner = strchr(request->username->vp_strvalue, '@');
761 if (outer && inner) {
766 * The realms are different, do
767 * more detailed checks.
769 if (strcmp(outer, inner) != 0) {
770 size_t outer_len, inner_len;
772 outer_len = vp->vp_length;
773 outer_len -= (outer - vp->vp_strvalue);
775 inner_len = request->username->vp_length;
776 inner_len -= (inner - request->username->vp_strvalue);
779 * Inner: secure.example.org
782 if (inner_len > outer_len) {
785 suffix = inner + (inner_len - outer_len) - 1;
787 if ((*suffix != '.') ||
788 (strcmp(suffix + 1, outer) != 0)) {
789 RWDEBUG("Possible spoofing: Inner realm '%s' is not a subdomain of the outer realm '%s'", inner, outer);
793 RWDEBUG("Possible spoofing: Inner realm and outer realms are different");
799 RWDEBUG("Outer and inner identities are the same. User privacy is compromised.");
803 RDEBUG("server %s {", request->server);
807 * We currently only handle AUTH packets here.
808 * This could be expanded to handle other packets as well if required.
810 rad_assert(request->packet->code == PW_CODE_ACCESS_REQUEST);
812 result = rad_authenticate(request);
814 if (request->reply->code == PW_CODE_ACCESS_REJECT) {
815 fr_pair_delete_by_num(&request->config, PW_POST_AUTH_TYPE, 0, TAG_ANY);
816 vp = pair_make_config("Post-Auth-Type", "Reject", T_OP_SET);
817 if (vp) rad_postauth(request);
820 if (request->reply->code == PW_CODE_ACCESS_ACCEPT) {
821 rad_postauth(request);
825 RDEBUG("} # server %s", request->server);
827 RDEBUG("Virtual server sending reply");
828 rdebug_pair_list(L_DBG_LVL_1, request, request->reply->vps, NULL);
projects / freeradius.git / blob