2 * auth.c User authentication.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2000,2006 The FreeRADIUS server project
21 * Copyright 2000 Miquel van Smoorenburg <miquels@cistron.nl>
22 * Copyright 2000 Jeff Carneal <jeff@apex.net>
26 #include <freeradius-devel/radiusd.h>
27 #include <freeradius-devel/modules.h>
28 #include <freeradius-devel/state.h>
29 #include <freeradius-devel/rad_assert.h>
34 * Return a short string showing the terminal server, port
35 * and calling station ID.
37 char *auth_name(char *buf, size_t buflen, REQUEST *request, bool do_cli)
44 if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID, 0, TAG_ANY)) == NULL) {
48 if ((pair = pairfind(request->packet->vps, PW_NAS_PORT, 0, TAG_ANY)) != NULL) {
49 port = pair->vp_integer;
52 if (request->packet->dst_port == 0) {
53 if (pairfind(request->packet->vps, PW_FREERADIUS_PROXIED_TO, 0, TAG_ANY)) {
54 tls = " via TLS tunnel";
56 tls = " via proxy to virtual server";
60 snprintf(buf, buflen, "from client %.128s port %u%s%.128s%s",
61 request->client->shortname, port,
62 (do_cli ? " cli " : ""), (do_cli ? cli->vp_strvalue : ""),
71 * Make sure user/pass are clean
74 static int rad_authlog(char const *msg, REQUEST *request, int goodpass)
77 char const *extra_msg = NULL;
78 char clean_password[1024];
79 char clean_username[1024];
83 VALUE_PAIR *username = NULL;
85 if (!request->root->log_auth) {
90 * Get the correct username based on the configured value
92 if (!log_stripped_names) {
93 username = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
95 username = request->username;
99 * Clean up the username
101 if (username == NULL) {
102 strcpy(clean_username, "<no User-Name attribute>");
104 fr_print_string(username->vp_strvalue,
106 clean_username, sizeof(clean_username), '\0');
110 * Clean up the password
112 if (request->root->log_auth_badpass || request->root->log_auth_goodpass) {
113 if (!request->password) {
114 VALUE_PAIR *auth_type;
116 auth_type = pairfind(request->config_items, PW_AUTH_TYPE, 0, TAG_ANY);
118 snprintf(clean_password, sizeof(clean_password),
119 "<via Auth-Type = %s>",
120 dict_valnamebyattr(PW_AUTH_TYPE, 0,
121 auth_type->vp_integer));
123 strcpy(clean_password, "<no User-Password attribute>");
125 } else if (pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) {
126 strcpy(clean_password, "<CHAP-Password>");
128 fr_print_string(request->password->vp_strvalue,
129 request->password->length,
130 clean_password, sizeof(clean_password), '\0');
135 logit = request->root->log_auth_goodpass;
136 extra_msg = request->root->auth_goodpass_msg;
138 logit = request->root->log_auth_badpass;
139 extra_msg = request->root->auth_badpass_msg;
145 if (radius_xlat(p, sizeof(extra) - 1, request, extra_msg, NULL, NULL) < 0) {
152 RAUTH("%s: [%s%s%s] (%s)%s",
156 logit ? clean_password : "",
157 auth_name(buf, sizeof(buf), request, 1),
168 * -2 Rejected (Auth-Type = Reject, send Port-Message back)
169 * 1 End check & return, don't reply
171 * NOTE: NOT the same as the RLM_ values !
173 static int CC_HINT(nonnull) rad_check_password(REQUEST *request)
176 VALUE_PAIR *auth_type_pair;
179 int auth_type_count = 0;
182 * Look for matching check items. We skip the whole lot
183 * if the authentication type is PW_AUTHTYPE_ACCEPT or
184 * PW_AUTHTYPE_REJECT.
186 fr_cursor_init(&cursor, &request->config_items);
187 while ((auth_type_pair = fr_cursor_next_by_num(&cursor, PW_AUTH_TYPE, 0, TAG_ANY))) {
188 auth_type = auth_type_pair->vp_integer;
191 RDEBUG2("Found Auth-Type = %s", dict_valnamebyattr(PW_AUTH_TYPE, 0, auth_type));
192 if (auth_type == PW_AUTHTYPE_REJECT) {
193 RDEBUG2("Auth-Type = Reject, rejecting user");
200 * Warn if more than one Auth-Type was found, because only the last
201 * one found will actually be used.
203 if ((auth_type_count > 1) && (debug_flag)) {
204 RERROR("Warning: Found %d auth-types on request for user '%s'",
205 auth_type_count, request->username->vp_strvalue);
209 * This means we have a proxy reply or an accept and it wasn't
210 * rejected in the above loop. So that means it is accepted and we
211 * do no further authentication.
213 if ((auth_type == PW_AUTHTYPE_ACCEPT)
218 RDEBUG2("Auth-Type = Accept, accepting the user");
223 * Check that Auth-Type has been set, and reject if not.
225 * Do quick checks to see if Cleartext-Password or Crypt-Password have
226 * been set, and complain if so.
229 if (pairfind(request->config_items, PW_CRYPT_PASSWORD, 0, TAG_ANY) != NULL) {
230 RWDEBUG2("Please update your configuration, and remove 'Auth-Type = Crypt'");
231 RWDEBUG2("Use the PAP module instead");
233 else if (pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY) != NULL) {
234 RWDEBUG2("Please update your configuration, and remove 'Auth-Type = Local'");
235 RWDEBUG2("Use the PAP or CHAP modules instead");
239 * The admin hasn't told us how to
240 * authenticate the user, so we reject them!
245 REDEBUG2("No Auth-Type found: rejecting the user via Post-Auth-Type = Reject");
250 * See if there is a module that handles
251 * this Auth-Type, and turn the RLM_ return
252 * status into the values as defined at
253 * the top of this function.
255 result = process_authenticate(auth_type, request);
258 * An authentication module FAIL
259 * return code, or any return code that
260 * is not expected from authentication,
261 * is the same as an explicit REJECT!
263 case RLM_MODULE_FAIL:
264 case RLM_MODULE_INVALID:
265 case RLM_MODULE_NOOP:
266 case RLM_MODULE_NOTFOUND:
267 case RLM_MODULE_REJECT:
268 case RLM_MODULE_UPDATED:
269 case RLM_MODULE_USERLOCK:
278 case RLM_MODULE_HANDLED:
287 * Post-authentication step processes the response before it is
288 * sent to the NAS. It can receive both Access-Accept and Access-Reject
291 int rad_postauth(REQUEST *request)
294 int postauth_type = 0;
298 * Do post-authentication calls. ignoring the return code.
300 vp = pairfind(request->config_items, PW_POST_AUTH_TYPE, 0, TAG_ANY);
302 postauth_type = vp->vp_integer;
303 RDEBUG2("Using Post-Auth-Type %s",
304 dict_valnamebyattr(PW_POST_AUTH_TYPE, 0, postauth_type));
306 result = process_post_auth(postauth_type, request);
309 * The module failed, or said to reject the user: Do so.
311 case RLM_MODULE_FAIL:
312 case RLM_MODULE_INVALID:
313 case RLM_MODULE_REJECT:
314 case RLM_MODULE_USERLOCK:
316 request->reply->code = PW_CODE_ACCESS_REJECT;
317 fr_state_discard(request, request->packet);
318 result = RLM_MODULE_REJECT;
321 * The module handled the request, cancel the reply.
323 case RLM_MODULE_HANDLED:
327 * The module had a number of OK return codes.
329 case RLM_MODULE_NOOP:
330 case RLM_MODULE_NOTFOUND:
332 case RLM_MODULE_UPDATED:
333 result = RLM_MODULE_OK;
335 if (request->reply->code == PW_CODE_ACCESS_CHALLENGE) {
336 fr_state_put_vps(request, request->packet, request->reply);
339 fr_state_discard(request, request->packet);
347 * Process and reply to an authentication request
349 * The return value of this function isn't actually used right now, so
350 * it's not entirely clear if it is returning the right things. --Pac.
352 int rad_authenticate(REQUEST *request)
354 #ifdef WITH_SESSION_MGMT
355 VALUE_PAIR *check_item;
357 VALUE_PAIR *module_msg;
358 VALUE_PAIR *tmp = NULL;
365 * If this request got proxied to another server, we need
366 * to check whether it authenticated the request or not.
368 * request->proxy gets set only AFTER authorization, so
369 * it's safe to check it here. If it exists, it means
370 * we're doing a second pass through rad_authenticate().
372 if (request->proxy) {
375 if (request->proxy_reply) code = request->proxy_reply->code;
379 * Reply of ACCEPT means accept, thus set Auth-Type
382 case PW_CODE_ACCESS_ACCEPT:
383 tmp = radius_paircreate(request,
384 &request->config_items,
386 if (tmp) tmp->vp_integer = PW_AUTHTYPE_ACCEPT;
390 * Challenges are punted back to the NAS without any
391 * further processing.
393 case PW_CODE_ACCESS_CHALLENGE:
394 request->reply->code = PW_CODE_ACCESS_CHALLENGE;
395 return RLM_MODULE_OK;
398 * ALL other replies mean reject. (this is fail-safe)
400 * Do NOT do any authorization or authentication. They
401 * are being rejected, so we minimize the amount of work
402 * done by the server, by rejecting them here.
404 case PW_CODE_ACCESS_REJECT:
405 rad_authlog("Login incorrect (Home Server says so)",
407 request->reply->code = PW_CODE_ACCESS_REJECT;
408 return RLM_MODULE_REJECT;
411 rad_authlog("Login incorrect (Home Server failed to respond)",
413 return RLM_MODULE_REJECT;
418 * Look for, and cache, passwords.
420 if (!request->password) {
421 request->password = pairfind(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
423 if (!request->password) {
424 request->password = pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY);
428 * Grab the VPS associated with the State attribute.
430 fr_state_get_vps(request, request->packet);
433 * Get the user's authorization information from the database
436 result = process_authorize(autz_type, request);
438 case RLM_MODULE_NOOP:
439 case RLM_MODULE_NOTFOUND:
441 case RLM_MODULE_UPDATED:
443 case RLM_MODULE_HANDLED:
445 case RLM_MODULE_FAIL:
446 case RLM_MODULE_INVALID:
447 case RLM_MODULE_REJECT:
448 case RLM_MODULE_USERLOCK:
450 if ((module_msg = pairfind(request->packet->vps, PW_MODULE_FAILURE_MESSAGE, 0, TAG_ANY)) != NULL) {
451 char msg[MAX_STRING_LEN + 16];
452 snprintf(msg, sizeof(msg), "Invalid user (%s)",
453 module_msg->vp_strvalue);
454 rad_authlog(msg,request,0);
456 rad_authlog("Invalid user", request, 0);
458 request->reply->code = PW_CODE_ACCESS_REJECT;
462 tmp = pairfind(request->config_items, PW_AUTZ_TYPE, 0, TAG_ANY);
464 autz_type = tmp->vp_integer;
465 RDEBUG2("Using Autz-Type %s",
466 dict_valnamebyattr(PW_AUTZ_TYPE, 0, autz_type));
473 * If we haven't already proxied the packet, then check
474 * to see if we should. Maybe one of the authorize
475 * modules has decided that a proxy should be used. If
476 * so, get out of here and send the packet.
480 (request->proxy == NULL) &&
482 ((tmp = pairfind(request->config_items, PW_PROXY_TO_REALM, 0, TAG_ANY)) != NULL)) {
485 realm = realm_find2(tmp->vp_strvalue);
488 * Don't authenticate, as the request is going to
491 if (realm && realm->auth_pool) {
492 return RLM_MODULE_OK;
496 * Catch users who set Proxy-To-Realm to a LOCAL
497 * realm (sigh). But don't complain if it is
500 if (realm &&(strcmp(realm->name, "LOCAL") != 0)) {
501 RWDEBUG2("You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling proxy request.", realm->name);
505 RWDEBUG2("You set Proxy-To-Realm = %s, but the realm does not exist! Cancelling invalid proxy request.", tmp->vp_strvalue);
517 result = rad_check_password(request);
520 * We presume that the reply has been set by someone.
522 if (request->reply->code == PW_CODE_ACCESS_CHALLENGE) {
523 fr_state_put_vps(request, request->packet, request->reply);
526 fr_state_discard(request, request->packet);
528 return RLM_MODULE_HANDLED;
534 * Failed to validate the user.
536 * We PRESUME that the code which failed will clean up
537 * request->reply->vps, to be ONLY the reply items it
538 * wants to send back.
541 RDEBUG2("Failed to authenticate the user");
542 request->reply->code = PW_CODE_ACCESS_REJECT;
544 if ((module_msg = pairfind(request->packet->vps, PW_MODULE_FAILURE_MESSAGE, 0, TAG_ANY)) != NULL){
545 char msg[MAX_STRING_LEN+19];
547 snprintf(msg, sizeof(msg), "Login incorrect (%s)",
548 module_msg->vp_strvalue);
549 rad_authlog(msg, request, 0);
551 rad_authlog("Login incorrect", request, 0);
554 if (request->password) {
555 VERIFY_VP(request->password);
556 /* double check: maybe the secret is wrong? */
557 if ((debug_flag > 1) && (request->password->da->attr == PW_USER_PASSWORD)) {
560 p = (uint8_t const *) request->password->vp_strvalue;
564 size = fr_utf8_char(p);
566 RWDEBUG("Unprintable characters in the password. Double-check the "
567 "shared secret on the server and the NAS!");
576 #ifdef WITH_SESSION_MGMT
578 (check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE, 0, TAG_ANY)) != NULL) {
579 int r, session_type = 0;
581 char umsg[MAX_STRING_LEN + 1];
583 tmp = pairfind(request->config_items, PW_SESSION_TYPE, 0, TAG_ANY);
585 session_type = tmp->vp_integer;
586 RDEBUG2("Using Session-Type %s",
587 dict_valnamebyattr(PW_SESSION_TYPE, 0, session_type));
591 * User authenticated O.K. Now we have to check
592 * for the Simultaneous-Use parameter.
594 if (request->username &&
595 (r = process_checksimul(session_type, request, check_item->vp_integer)) != 0) {
599 /* Multilink attempt. Check if port-limit > simultaneous-use */
600 VALUE_PAIR *port_limit;
602 if ((port_limit = pairfind(request->reply->vps, PW_PORT_LIMIT, 0, TAG_ANY)) != NULL &&
603 port_limit->vp_integer > check_item->vp_integer){
604 RDEBUG2("MPP is OK");
609 if (check_item->vp_integer > 1) {
610 snprintf(umsg, sizeof(umsg),
612 main_config.denied_msg,
613 (int)check_item->vp_integer);
615 snprintf(umsg, sizeof(umsg),
617 main_config.denied_msg);
620 request->reply->code = PW_CODE_ACCESS_REJECT;
623 * They're trying to log in too many times.
624 * Remove ALL reply attributes.
626 pairfree(&request->reply->vps);
627 pairmake_reply("Reply-Message",
630 snprintf(logstr, sizeof(logstr), "Multiple logins (max %d) %s",
631 check_item->vp_integer,
632 r == 2 ? "[MPP attempt]" : "");
633 rad_authlog(logstr, request, 1);
642 * Result should be >= 0 here - if not, it means the user
643 * is rejected, so we just process post-auth and return.
646 return RLM_MODULE_REJECT;
650 * Set the reply to Access-Accept, if it hasn't already
651 * been set to something. (i.e. Access-Challenge)
653 if (request->reply->code == 0)
654 request->reply->code = PW_CODE_ACCESS_ACCEPT;
656 if ((module_msg = pairfind(request->packet->vps, PW_MODULE_SUCCESS_MESSAGE, 0, TAG_ANY)) != NULL){
657 char msg[MAX_STRING_LEN+12];
659 snprintf(msg, sizeof(msg), "Login OK (%s)",
660 module_msg->vp_strvalue);
661 rad_authlog(msg, request, 1);
663 rad_authlog("Login OK", request, 1);
670 * Run a virtual server auth and postauth
673 int rad_virtual_server(REQUEST *request)
678 RDEBUG("Virtual server received request");
679 rdebug_pair_list(L_DBG_LVL_1, request, request->packet->vps, NULL);
681 RDEBUG("server %s {", request->server);
685 * We currently only handle AUTH packets here.
686 * This could be expanded to handle other packets as well if required.
688 rad_assert(request->packet->code == PW_CODE_ACCESS_REQUEST);
690 result = rad_authenticate(request);
692 if (request->reply->code == PW_CODE_ACCESS_REJECT) {
693 pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0, TAG_ANY);
694 vp = pairmake_config("Post-Auth-Type", "Reject", T_OP_SET);
695 if (vp) rad_postauth(request);
698 if (request->reply->code == PW_CODE_ACCESS_ACCEPT) {
699 rad_postauth(request);
703 RDEBUG("} # server %s", request->server);
705 RDEBUG("Virtual server sending reply");
706 rdebug_pair_list(L_DBG_LVL_1, request, request->reply->vps, NULL);