2 * auth.c User authentication.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Copyright 2000 The FreeRADIUS server project
21 * Copyright 2000 Miquel van Smoorenburg <miquels@cistron.nl>
22 * Copyright 2000 Jeff Carneal <jeff@apex.net>
25 static const char rcsid[] = "$Id$";
28 #include "libradius.h"
34 #ifdef HAVE_NETINET_IN_H
35 # include <netinet/in.h>
40 #include "rad_assert.h"
43 * Return a short string showing the terminal server, port
44 * and calling station ID.
46 char *auth_name(char *buf, size_t buflen, REQUEST *request, int do_cli) {
51 if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID)) == NULL)
53 if ((pair = pairfind(request->packet->vps, PW_NAS_PORT)) != NULL)
56 snprintf(buf, buflen, "from client %.128s port %u%s%.128s",
57 client_name(&request->packet->src_ipaddr), port,
58 (do_cli ? " cli " : ""), (do_cli ? (char *)cli->strvalue : ""));
66 * Make sure user/pass are clean
69 static int rad_authlog(const char *msg, REQUEST *request, int goodpass) {
71 char clean_password[1024];
72 char clean_username[1024];
74 VALUE_PAIR *username = NULL;
76 if (!mainconfig.log_auth) {
81 * Get the correct username based on the configured value
83 if (log_stripped_names == 0) {
84 username = pairfind(request->packet->vps, PW_USER_NAME);
86 username = request->username;
90 * Clean up the username
92 if (username == NULL) {
93 strcpy(clean_username, "<no User-Name attribute>");
95 librad_safeprint((char *)username->strvalue,
97 clean_username, sizeof(clean_username));
101 * Clean up the password
103 if (mainconfig.log_auth_badpass || mainconfig.log_auth_goodpass) {
104 if (!request->password) {
105 VALUE_PAIR *auth_type;
107 auth_type = pairfind(request->config_items,
109 if (auth_type && (auth_type->strvalue[0] != '\0')) {
110 snprintf(clean_password, sizeof(clean_password),
111 "<via Auth-Type = %s>",
112 auth_type->strvalue);
114 strcpy(clean_password, "<no User-Password attribute>");
116 } else if (request->password->attribute == PW_CHAP_PASSWORD) {
117 strcpy(clean_password, "<CHAP-Password>");
119 librad_safeprint((char *)request->password->strvalue,
120 request->password->length,
121 clean_password, sizeof(clean_password));
126 radlog(L_AUTH, "%s: [%s%s%s] (%s)",
129 mainconfig.log_auth_goodpass ? "/" : "",
130 mainconfig.log_auth_goodpass ? clean_password : "",
131 auth_name(buf, sizeof(buf), request, 1));
133 radlog(L_AUTH, "%s: [%s%s%s] (%s)",
136 mainconfig.log_auth_badpass ? "/" : "",
137 mainconfig.log_auth_badpass ? clean_password : "",
138 auth_name(buf, sizeof(buf), request, 1));
149 * -2 Rejected (Auth-Type = Reject, send Port-Message back)
150 * 1 End check & return, don't reply
152 * NOTE: NOT the same as the RLM_ values !
154 int rad_check_password(REQUEST *request)
156 VALUE_PAIR *auth_type_pair;
157 VALUE_PAIR *cur_config_item;
158 VALUE_PAIR *password_pair;
159 VALUE_PAIR *auth_item;
160 char string[MAX_STRING_LEN];
163 int auth_type_count = 0;
167 * Look for matching check items. We skip the whole lot
168 * if the authentication type is PW_AUTHTYPE_ACCEPT or
169 * PW_AUTHTYPE_REJECT.
171 cur_config_item = request->config_items;
172 while(((auth_type_pair = pairfind(cur_config_item, PW_AUTH_TYPE))) != NULL) {
173 auth_type = auth_type_pair->lvalue;
176 DEBUG2(" rad_check_password: Found Auth-Type %s",
177 auth_type_pair->strvalue);
178 cur_config_item = auth_type_pair->next;
180 if (auth_type == PW_AUTHTYPE_REJECT) {
181 DEBUG2(" rad_check_password: Auth-Type = Reject, rejecting user");
186 if (( auth_type_count > 1) && (debug_flag)) {
187 radlog(L_ERR, "Warning: Found %d auth-types on request for user '%s'",
188 auth_type_count, request->username->strvalue);
192 * This means we have a proxy reply or an accept
193 * and it wasn't rejected in the above loop. So
194 * that means it is accepted and we do no further
197 if ((auth_type == PW_AUTHTYPE_ACCEPT) || (request->proxy)) {
198 DEBUG2(" rad_check_password: Auth-Type = Accept, accepting the user");
203 * Find the password from the users file.
205 if ((password_pair = pairfind(request->config_items, PW_CRYPT_PASSWORD)) != NULL) {
207 * Re-write Auth-Type, but ONLY if it isn't already
210 if (auth_type == -1) auth_type = PW_AUTHTYPE_CRYPT;
212 password_pair = pairfind(request->config_items, PW_PASSWORD);
217 auth_type = PW_AUTHTYPE_LOCAL;
220 * The admin hasn't told us how to
221 * authenticate the user, so we reject them!
225 DEBUG2("auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user");
231 case PW_AUTHTYPE_CRYPT:
233 * Find the password sent by the user. It
234 * SHOULD be there, if it's not
235 * authentication fails.
237 auth_item = request->password;
238 if (auth_item == NULL) {
239 DEBUG2("auth: No User-Password or CHAP-Password attribute in the request");
243 DEBUG2("auth: type Crypt");
244 if (password_pair == NULL) {
245 DEBUG2("No Crypt-Password configured for the user");
246 rad_authlog("Login incorrect "
247 "(No Crypt-Password configured for the user)", request, 0);
251 switch (lrad_crypt_check((char *)auth_item->strvalue,
252 (char *)password_pair->strvalue)) {
254 rad_authlog("Login incorrect "
255 "(system failed to supply an encrypted password for comparison)", request, 0);
260 case PW_AUTHTYPE_LOCAL:
261 DEBUG2("auth: type Local");
264 * Find the password sent by the user. It
265 * SHOULD be there, if it's not
266 * authentication fails.
268 auth_item = request->password;
269 if (auth_item == NULL) {
270 DEBUG2("auth: No User-Password or CHAP-Password attribute in the request");
275 * Plain text password.
277 if (password_pair == NULL) {
278 DEBUG2("auth: No password configured for the user");
279 rad_authlog("Login incorrect "
280 "(No password configured for the user)", request, 0);
285 * Local password is just plain text.
287 if (auth_item->attribute == PW_PASSWORD) {
288 if (strcmp((char *)password_pair->strvalue,
289 (char *)auth_item->strvalue) != 0) {
290 DEBUG2("auth: user supplied User-Password does NOT match local User-Password");
293 DEBUG2("auth: user supplied User-Password matches local User-Password");
296 } else if (auth_item->attribute != PW_CHAP_PASSWORD) {
297 DEBUG2("The user did not supply a User-Password or a CHAP-Password attribute");
298 rad_authlog("Login incorrect "
299 "(no User-Password or CHAP-Password attribute)", request, 0);
303 rad_chap_encode(request->packet, string,
304 auth_item->strvalue[0], password_pair);
309 if (memcmp(string + 1, auth_item->strvalue + 1,
310 CHAP_VALUE_LENGTH) != 0) {
311 DEBUG2("auth: user supplied CHAP-Password does NOT match local User-Password");
314 DEBUG2("auth: user supplied CHAP-Password matches local User-Password");
317 DEBUG2("auth: type \"%s\"",
318 dict_valbyattr(PW_AUTH_TYPE, auth_type)->name);
320 * See if there is a module that handles
321 * this type, and turn the RLM_ return
322 * status into the values as defined at
323 * the top of this function.
325 result = module_authenticate(auth_type, request);
328 * An authentication module FAIL
329 * return code, or any return code that
330 * is not expected from authentication,
331 * is the same as an explicit REJECT!
333 case RLM_MODULE_FAIL:
334 case RLM_MODULE_REJECT:
335 case RLM_MODULE_USERLOCK:
336 case RLM_MODULE_INVALID:
337 case RLM_MODULE_NOTFOUND:
338 case RLM_MODULE_NOOP:
339 case RLM_MODULE_UPDATED:
345 case RLM_MODULE_HANDLED:
356 * Post-authentication step processes the response before it is
357 * sent to the NAS. It can receive both Access-Accept and Access-Reject
360 int rad_postauth(REQUEST *request)
363 int postauth_type = 0;
364 VALUE_PAIR *postauth_type_item = NULL;
367 * Do post-authentication calls. ignoring the return code.
369 postauth_type_item = pairfind(request->config_items, PW_POST_AUTH_TYPE);
370 if (postauth_type_item)
371 postauth_type = postauth_type_item->lvalue;
372 result = module_post_auth(postauth_type, request);
378 * The module failed, or said to reject the user: Do so.
380 case RLM_MODULE_FAIL:
381 case RLM_MODULE_REJECT:
382 case RLM_MODULE_USERLOCK:
383 case RLM_MODULE_INVALID:
384 request->reply->code = PW_AUTHENTICATION_REJECT;
385 result = RLM_MODULE_REJECT;
389 * The module had a number of OK return codes.
391 case RLM_MODULE_NOTFOUND:
392 case RLM_MODULE_NOOP:
393 case RLM_MODULE_UPDATED:
395 case RLM_MODULE_HANDLED:
396 result = RLM_MODULE_OK;
403 * Before sending an Access-Reject, call the modules in the
404 * Post-Auth-Type REJECT stanza.
406 static int rad_postauth_reject(REQUEST *request)
412 dval = dict_valbyname(PW_POST_AUTH_TYPE, "REJECT");
414 /* Overwrite the Post-Auth-Type with the value REJECT */
415 pairdelete(&request->config_items, PW_POST_AUTH_TYPE);
416 tmp = paircreate(PW_POST_AUTH_TYPE, PW_TYPE_INTEGER);
417 tmp->lvalue = dval->value;
418 pairadd(&request->config_items, tmp);
419 result = rad_postauth(request);
421 /* No REJECT stanza */
422 result = RLM_MODULE_OK;
428 * Process and reply to an authentication request
430 * The return value of this function isn't actually used right now, so
431 * it's not entirely clear if it is returning the right things. --Pac.
433 int rad_authenticate(REQUEST *request)
435 VALUE_PAIR *namepair;
436 VALUE_PAIR *check_item;
437 VALUE_PAIR *auth_item;
438 VALUE_PAIR *module_msg;
439 VALUE_PAIR *tmp = NULL;
441 char umsg[MAX_STRING_LEN + 1];
442 const char *user_msg = NULL;
443 const char *password;
446 int seen_callback_id;
447 char buf[1024], logstr[1024];
454 * If this request got proxied to another server,
455 * AND it was an authentication request, then we need
456 * to add an initial Auth-Type: Auth-Accept for success,
457 * Auth-Reject for fail. We also need to add the reply
458 * pairs from the server to the initial reply.
460 * Huh? If the request wasn't an authentication request,
461 * WTF are we doing here?
463 if ((request->proxy_reply) &&
464 (request->packet->code == PW_AUTHENTICATION_REQUEST)) {
465 tmp = paircreate(PW_AUTH_TYPE, PW_TYPE_INTEGER);
467 radlog(L_ERR|L_CONS, "no memory");
472 * Challenges are punted back to the NAS
473 * without any further processing.
475 if (request->proxy_reply->code == PW_ACCESS_CHALLENGE) {
476 request->reply->code = PW_ACCESS_CHALLENGE;
477 return RLM_MODULE_HANDLED;
481 * Reply of ACCEPT means accept, ALL other
482 * replies mean reject. This is fail-safe.
484 if (request->proxy_reply->code == PW_AUTHENTICATION_ACK)
485 tmp->lvalue = PW_AUTHTYPE_ACCEPT;
487 tmp->lvalue = PW_AUTHTYPE_REJECT;
488 pairadd(&request->config_items, tmp);
491 * If it's an Access-Reject, then do NOT do any
492 * authorization or authentication. They're being
493 * rejected, so we minimize the amount of work
494 * done by the server, by rejecting them here.
496 if ((request->proxy_reply->code != PW_AUTHENTICATION_ACK) &&
497 (request->proxy_reply->code != PW_ACCESS_CHALLENGE)) {
498 rad_authlog("Login incorrect (Home Server says so)", request, 0);
499 request->reply->code = PW_AUTHENTICATION_REJECT;
500 rad_postauth_reject(request);
501 return RLM_MODULE_REJECT;
506 * Get the username from the request.
508 * Note that namepair MAY be NULL, in which case there
509 * is no User-Name attribute in the request.
511 namepair = request->username;
514 * Look for, and cache, passwords.
516 if (!request->password) {
517 request->password = pairfind(request->packet->vps,
522 * Discover which password we want to use.
524 auth_item = request->password;
526 password = (const char *)auth_item->strvalue;
530 * Maybe there's a CHAP-Password?
532 if ((auth_item = pairfind(request->packet->vps,
533 PW_CHAP_PASSWORD)) != NULL) {
534 password = "<CHAP-PASSWORD>";
538 * No password we recognize.
540 password = "<NO-PASSWORD>";
543 request->password = auth_item;
546 * Get the user's authorization information from the database
549 r = module_authorize(autz_type, request);
550 if (r != RLM_MODULE_NOTFOUND &&
551 r != RLM_MODULE_NOOP &&
552 r != RLM_MODULE_OK &&
553 r != RLM_MODULE_UPDATED) {
554 if (r != RLM_MODULE_FAIL && r != RLM_MODULE_HANDLED) {
555 if ((module_msg = pairfind(request->packet->vps,
556 PW_MODULE_FAILURE_MESSAGE)) != NULL){
557 char msg[MAX_STRING_LEN+16];
558 snprintf(msg, sizeof(msg), "Invalid user (%s)",
559 module_msg->strvalue);
560 rad_authlog(msg,request,0);
562 rad_authlog("Invalid user", request, 0);
564 request->reply->code = PW_AUTHENTICATION_REJECT;
569 VALUE_PAIR *autz_type_item = NULL;
570 autz_type_item = pairfind(request->config_items, PW_AUTZ_TYPE);
572 autz_type = autz_type_item->lvalue;
579 * If we haven't already proxied the packet, then check
580 * to see if we should. Maybe one of the authorize
581 * modules has decided that a proxy should be used. If
582 * so, get out of here and send the packet.
584 if ((request->proxy == NULL) &&
585 ((tmp = pairfind(request->config_items, PW_PROXY_TO_REALM)) != NULL)) {
589 * Catch users who set Proxy-To-Realm to a LOCAL
592 realm = realm_find(tmp->strvalue, 0);
593 rad_assert((realm == NULL) || (realm->ipaddr.af == AF_INET));
594 if (realm && (realm->ipaddr.ipaddr.ip4addr.s_addr == htonl(INADDR_NONE))) {
595 DEBUG2(" WARNING: You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling invalid proxy request.", realm->realm);
598 * Don't authenticate, as the request is
601 return RLM_MODULE_OK;
606 * Perhaps there is a Stripped-User-Name now.
608 namepair = request->username;
614 result = rad_check_password(request);
617 return RLM_MODULE_HANDLED;
622 * Failed to validate the user.
624 * We PRESUME that the code which failed will clean up
625 * request->reply->vps, to be ONLY the reply items it
626 * wants to send back.
629 DEBUG2("auth: Failed to validate the user.");
630 request->reply->code = PW_AUTHENTICATION_REJECT;
632 if ((module_msg = pairfind(request->packet->vps,PW_MODULE_FAILURE_MESSAGE)) != NULL){
633 char msg[MAX_STRING_LEN+19];
635 snprintf(msg, sizeof(msg), "Login incorrect (%s)",
636 module_msg->strvalue);
637 rad_authlog(msg, request, 0);
639 rad_authlog("Login incorrect", request, 0);
642 /* double check: maybe the secret is wrong? */
643 if ((debug_flag > 1) && (auth_item != NULL) &&
644 (auth_item->attribute == PW_PASSWORD)) {
647 p = auth_item->strvalue;
649 if (!isprint((int) *p)) {
650 log_debug(" WARNING: Unprintable characters in the password.\n\t Double-check the shared secret on the server and the NAS!");
659 (check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE)) != NULL) {
660 VALUE_PAIR *session_type;
663 session_type = pairfind(request->config_items, PW_SESSION_TYPE);
665 sess_type = session_type->lvalue;
668 * User authenticated O.K. Now we have to check
669 * for the Simultaneous-Use parameter.
672 (r = module_checksimul(sess_type,request, check_item->lvalue)) != 0) {
676 /* Multilink attempt. Check if port-limit > simultaneous-use */
677 VALUE_PAIR *port_limit;
679 if ((port_limit = pairfind(request->reply->vps, PW_PORT_LIMIT)) != NULL &&
680 port_limit->lvalue > check_item->lvalue){
681 DEBUG2("main auth: MPP is OK");
686 if (check_item->lvalue > 1) {
687 snprintf(umsg, sizeof(umsg),
688 "\r\nYou are already logged in %d times - access denied\r\n\n",
689 (int)check_item->lvalue);
692 user_msg = "\r\nYou are already logged in - access denied\r\n\n";
695 request->reply->code = PW_AUTHENTICATION_REJECT;
698 * They're trying to log in too many times.
699 * Remove ALL reply attributes.
701 pairfree(&request->reply->vps);
702 tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
703 request->reply->vps = tmp;
705 snprintf(logstr, sizeof(logstr), "Multiple logins (max %d) %s",
707 r == 2 ? "[MPP attempt]" : "");
708 rad_authlog(logstr, request, 1);
716 * Result should be >= 0 here - if not, it means the user
717 * is rejected, so we just process post-auth and return.
720 rad_postauth_reject(request);
721 return RLM_MODULE_REJECT;
725 * We might need this later. The 'password' string
726 * is NOT used anywhere below here, except for logging,
727 * so it should be safe...
729 if ((auth_item != NULL) && (auth_item->attribute == PW_CHAP_PASSWORD)) {
730 password = "CHAP-Password";
734 * Add the port number to the Framed-IP-Address if
735 * vp->addport is set.
737 if (((tmp = pairfind(request->reply->vps,
738 PW_FRAMED_IP_ADDRESS)) != NULL) &&
739 (tmp->flags.addport != 0)) {
740 VALUE_PAIR *vpPortId;
743 * Find the NAS port ID.
745 if ((vpPortId = pairfind(request->packet->vps,
746 PW_NAS_PORT)) != NULL) {
747 unsigned long tvalue = ntohl(tmp->lvalue);
748 tmp->lvalue = htonl(tvalue + vpPortId->lvalue);
749 tmp->flags.addport = 0;
750 ip_ntoa(tmp->strvalue, tmp->lvalue);
752 DEBUG2("WARNING: No NAS-Port attribute in request. CANNOT return a Framed-IP-Address + NAS-Port.\n");
753 pairdelete(&request->reply->vps, PW_FRAMED_IP_ADDRESS);
758 * See if we need to execute a program.
759 * FIXME: somehow cache this info, and only execute the
760 * program when we receive an Accounting-START packet.
761 * Only at that time we know dynamic IP etc.
765 if ((auth_item = pairfind(request->reply->vps, PW_EXEC_PROGRAM)) != NULL) {
767 exec_program = strdup((char *)auth_item->strvalue);
768 pairdelete(&request->reply->vps, PW_EXEC_PROGRAM);
770 if ((auth_item = pairfind(request->reply->vps, PW_EXEC_PROGRAM_WAIT)) != NULL) {
772 exec_program = strdup((char *)auth_item->strvalue);
773 pairdelete(&request->reply->vps, PW_EXEC_PROGRAM_WAIT);
777 * Hack - allow % expansion in certain value strings.
778 * This is nice for certain Exec-Program programs.
780 seen_callback_id = 0;
781 if ((auth_item = pairfind(request->reply->vps, PW_CALLBACK_ID)) != NULL) {
782 seen_callback_id = 1;
783 radius_xlat(buf, sizeof(auth_item->strvalue),
784 (char *)auth_item->strvalue, request, NULL);
785 strNcpy((char *)auth_item->strvalue, buf,
786 sizeof(auth_item->strvalue));
787 auth_item->length = strlen((char *)auth_item->strvalue);
792 * If we want to exec a program, but wait for it,
793 * do it first before sending the reply.
795 if (exec_program && exec_wait) {
796 r = radius_exec_program(exec_program, request,
799 request->packet->vps, &tmp, 1);
804 * Always add the value-pairs to the reply.
806 pairmove(&request->reply->vps, &tmp);
811 * Error. radius_exec_program() returns -1 on
812 * fork/exec errors, or >0 if the exec'ed program
813 * had a non-zero exit status.
815 if (umsg[0] == '\0') {
816 user_msg = "\r\nAccess denied (external check failed).";
821 request->reply->code = PW_AUTHENTICATION_REJECT;
822 tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
824 pairadd(&request->reply->vps, tmp);
825 rad_authlog("Login incorrect (external check failed)",
828 rad_postauth_reject(request);
830 return RLM_MODULE_REJECT;
834 * FIXME: Add Reply-Message with the text?
839 * Delete "normal" A/V pairs when using callback.
841 * FIXME: This is stupid. The portmaster should accept
842 * these settings instead of insisting on using a
845 * FIXME2: Move this into the above exec thingy?
846 * (if you knew how I use the exec_wait, you'd understand).
848 if (seen_callback_id) {
849 pairdelete(&request->reply->vps, PW_FRAMED_PROTOCOL);
850 pairdelete(&request->reply->vps, PW_FRAMED_IP_ADDRESS);
851 pairdelete(&request->reply->vps, PW_FRAMED_IP_NETMASK);
852 pairdelete(&request->reply->vps, PW_FRAMED_ROUTE);
853 pairdelete(&request->reply->vps, PW_FRAMED_MTU);
854 pairdelete(&request->reply->vps, PW_FRAMED_COMPRESSION);
855 pairdelete(&request->reply->vps, PW_FILTER_ID);
856 pairdelete(&request->reply->vps, PW_PORT_LIMIT);
857 pairdelete(&request->reply->vps, PW_CALLBACK_NUMBER);
861 * Set the reply to Access-Accept, if it hasn't already
862 * been set to something. (i.e. Access-Challenge)
864 if (request->reply->code == 0)
865 request->reply->code = PW_AUTHENTICATION_ACK;
867 if ((module_msg = pairfind(request->packet->vps,PW_MODULE_SUCCESS_MESSAGE)) != NULL){
868 char msg[MAX_STRING_LEN+12];
870 snprintf(msg, sizeof(msg), "Login OK (%s)",
871 module_msg->strvalue);
872 rad_authlog(msg, request, 1);
874 rad_authlog("Login OK", request, 1);
877 if (exec_program && !exec_wait) {
879 * No need to check the exit status here.
881 radius_exec_program(exec_program, request, exec_wait,
882 NULL, 0, request->packet->vps, NULL, 1);
888 result = rad_postauth(request);