2 * auth.c User authentication.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2000,2006 The FreeRADIUS server project
21 * Copyright 2000 Miquel van Smoorenburg <miquels@cistron.nl>
22 * Copyright 2000 Jeff Carneal <jeff@apex.net>
25 #include <freeradius-devel/ident.h>
28 #include <freeradius-devel/radiusd.h>
29 #include <freeradius-devel/modules.h>
30 #include <freeradius-devel/rad_assert.h>
35 * Return a short string showing the terminal server, port
36 * and calling station ID.
38 char *auth_name(char *buf, size_t buflen, REQUEST *request, int do_cli)
45 if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID, 0, TAG_ANY)) == NULL)
47 if ((pair = pairfind(request->packet->vps, PW_NAS_PORT, 0, TAG_ANY)) != NULL)
48 port = pair->vp_integer;
50 if (request->packet->dst_port == 0) {
51 if (pairfind(request->packet->vps, PW_FREERADIUS_PROXIED_TO, 0, TAG_ANY)) {
52 tls = " via TLS tunnel";
54 tls = " via proxy to virtual server";
58 snprintf(buf, buflen, "from client %.128s port %u%s%.128s%s",
59 request->client->shortname, port,
60 (do_cli ? " cli " : ""), (do_cli ? (char *)cli->vp_strvalue : ""),
69 * Make sure user/pass are clean
72 static int rad_authlog(const char *msg, REQUEST *request, int goodpass)
75 const char *extra_msg = NULL;
76 char clean_password[1024];
77 char clean_username[1024];
80 VALUE_PAIR *username = NULL;
82 if (!request->root->log_auth) {
87 * Get the correct username based on the configured value
89 if (log_stripped_names == 0) {
90 username = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
92 username = request->username;
96 * Clean up the username
98 if (username == NULL) {
99 strcpy(clean_username, "<no User-Name attribute>");
101 fr_print_string((char *)username->vp_strvalue,
103 clean_username, sizeof(clean_username));
107 * Clean up the password
109 if (request->root->log_auth_badpass || request->root->log_auth_goodpass) {
110 if (!request->password) {
111 VALUE_PAIR *auth_type;
113 auth_type = pairfind(request->config_items, PW_AUTH_TYPE, 0, TAG_ANY);
115 snprintf(clean_password, sizeof(clean_password),
116 "<via Auth-Type = %s>",
117 dict_valnamebyattr(PW_AUTH_TYPE, 0,
118 auth_type->vp_integer));
120 strcpy(clean_password, "<no User-Password attribute>");
122 } else if (pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) {
123 strcpy(clean_password, "<CHAP-Password>");
125 fr_print_string((char *)request->password->vp_strvalue,
126 request->password->length,
127 clean_password, sizeof(clean_password));
132 logit = request->root->log_auth_goodpass;
133 extra_msg = request->root->auth_goodpass_msg;
135 logit = request->root->log_auth_badpass;
136 extra_msg = request->root->auth_badpass_msg;
141 radius_xlat(extra + 1, sizeof(extra) - 1, extra_msg, request,
147 radlog_request(L_AUTH, 0, request, "%s: [%s%s%s] (%s)%s",
151 logit ? clean_password : "",
152 auth_name(buf, sizeof(buf), request, 1),
163 * -2 Rejected (Auth-Type = Reject, send Port-Message back)
164 * 1 End check & return, don't reply
166 * NOTE: NOT the same as the RLM_ values !
168 static int rad_check_password(REQUEST *request)
170 VALUE_PAIR *auth_type_pair;
171 VALUE_PAIR *cur_config_item;
174 int auth_type_count = 0;
178 * Look for matching check items. We skip the whole lot
179 * if the authentication type is PW_AUTHTYPE_ACCEPT or
180 * PW_AUTHTYPE_REJECT.
182 cur_config_item = request->config_items;
183 while(((auth_type_pair = pairfind(cur_config_item, PW_AUTH_TYPE, 0, TAG_ANY))) != NULL) {
184 auth_type = auth_type_pair->vp_integer;
187 RDEBUG2("Found Auth-Type = %s",
188 dict_valnamebyattr(PW_AUTH_TYPE, 0, auth_type));
189 cur_config_item = auth_type_pair->next;
191 if (auth_type == PW_AUTHTYPE_REJECT) {
192 RDEBUG2("Auth-Type = Reject, rejecting user");
198 * Warn if more than one Auth-Type was found, because only the last
199 * one found will actually be used.
201 if (( auth_type_count > 1) && (debug_flag)) {
202 radlog_request(L_ERR, 0, request, "Warning: Found %d auth-types on request for user '%s'",
203 auth_type_count, request->username->vp_strvalue);
207 * This means we have a proxy reply or an accept and it wasn't
208 * rejected in the above loop. So that means it is accepted and we
209 * do no further authentication.
211 if ((auth_type == PW_AUTHTYPE_ACCEPT)
216 RDEBUG2("Auth-Type = Accept, accepting the user");
221 * Check that Auth-Type has been set, and reject if not.
223 * Do quick checks to see if Cleartext-Password or Crypt-Password have
224 * been set, and complain if so.
227 if (pairfind(request->config_items, PW_CRYPT_PASSWORD, 0, TAG_ANY) != NULL) {
228 RDEBUG2("WARNING: Please update your configuration, and remove 'Auth-Type = Crypt'");
229 RDEBUG2("WARNING: Use the PAP module instead.");
231 else if (pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY) != NULL) {
232 RDEBUG2("WARNING: Please update your configuration, and remove 'Auth-Type = Local'");
233 RDEBUG2("WARNING: Use the PAP or CHAP modules instead.");
237 * The admin hasn't told us how to
238 * authenticate the user, so we reject them!
243 RDEBUG2("ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user");
248 * See if there is a module that handles
249 * this Auth-Type, and turn the RLM_ return
250 * status into the values as defined at
251 * the top of this function.
253 result = module_authenticate(auth_type, request);
256 * An authentication module FAIL
257 * return code, or any return code that
258 * is not expected from authentication,
259 * is the same as an explicit REJECT!
261 case RLM_MODULE_FAIL:
262 case RLM_MODULE_INVALID:
263 case RLM_MODULE_NOOP:
264 case RLM_MODULE_NOTFOUND:
265 case RLM_MODULE_REJECT:
266 case RLM_MODULE_UPDATED:
267 case RLM_MODULE_USERLOCK:
274 case RLM_MODULE_HANDLED:
283 * Post-authentication step processes the response before it is
284 * sent to the NAS. It can receive both Access-Accept and Access-Reject
287 int rad_postauth(REQUEST *request)
290 int postauth_type = 0;
294 * Do post-authentication calls. ignoring the return code.
296 vp = pairfind(request->config_items, PW_POST_AUTH_TYPE, 0, TAG_ANY);
298 postauth_type = vp->vp_integer;
299 RDEBUG2("Using Post-Auth-Type %s",
300 dict_valnamebyattr(PW_POST_AUTH_TYPE, 0, postauth_type));
302 result = module_post_auth(postauth_type, request);
305 * The module failed, or said to reject the user: Do so.
307 case RLM_MODULE_FAIL:
308 case RLM_MODULE_INVALID:
309 case RLM_MODULE_REJECT:
310 case RLM_MODULE_USERLOCK:
312 request->reply->code = PW_AUTHENTICATION_REJECT;
313 result = RLM_MODULE_REJECT;
316 * The module handled the request, cancel the reply.
318 case RLM_MODULE_HANDLED:
322 * The module had a number of OK return codes.
324 case RLM_MODULE_NOOP:
325 case RLM_MODULE_NOTFOUND:
327 case RLM_MODULE_UPDATED:
328 result = RLM_MODULE_OK;
335 * Process and reply to an authentication request
337 * The return value of this function isn't actually used right now, so
338 * it's not entirely clear if it is returning the right things. --Pac.
340 int rad_authenticate(REQUEST *request)
342 VALUE_PAIR *namepair;
343 #ifdef WITH_SESSION_MGMT
344 VALUE_PAIR *check_item;
346 VALUE_PAIR *auth_item = NULL;
347 VALUE_PAIR *module_msg;
348 VALUE_PAIR *tmp = NULL;
350 const char *password;
358 * If this request got proxied to another server, we need
359 * to check whether it authenticated the request or not.
361 if (request->proxy_reply) {
362 switch (request->proxy_reply->code) {
364 * Reply of ACCEPT means accept, thus set Auth-Type
367 case PW_AUTHENTICATION_ACK:
368 tmp = radius_paircreate(request,
369 &request->config_items,
370 PW_AUTH_TYPE, 0, PW_TYPE_INTEGER);
371 if (tmp) tmp->vp_integer = PW_AUTHTYPE_ACCEPT;
375 * Challenges are punted back to the NAS without any
376 * further processing.
378 case PW_ACCESS_CHALLENGE:
379 request->reply->code = PW_ACCESS_CHALLENGE;
380 return RLM_MODULE_OK;
382 * ALL other replies mean reject. (this is fail-safe)
384 * Do NOT do any authorization or authentication. They
385 * are being rejected, so we minimize the amount of work
386 * done by the server, by rejecting them here.
388 case PW_AUTHENTICATION_REJECT:
389 rad_authlog("Login incorrect (Home Server says so)",
391 request->reply->code = PW_AUTHENTICATION_REJECT;
392 return RLM_MODULE_REJECT;
395 rad_authlog("Login incorrect (Home Server failed to respond)",
397 return RLM_MODULE_REJECT;
403 * Get the username from the request.
405 * Note that namepair MAY be NULL, in which case there
406 * is no User-Name attribute in the request.
408 namepair = request->username;
411 * Look for, and cache, passwords.
413 if (!request->password) {
414 request->password = pairfind(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
418 * Discover which password we want to use.
420 auth_item = request->password;
422 password = (const char *)auth_item->vp_strvalue;
426 * Maybe there's a CHAP-Password?
428 if ((auth_item = pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY)) != NULL) {
429 password = "<CHAP-PASSWORD>";
433 * No password we recognize.
435 password = "<NO-PASSWORD>";
438 request->password = auth_item;
441 * Get the user's authorization information from the database
444 result = module_authorize(autz_type, request);
446 case RLM_MODULE_NOOP:
447 case RLM_MODULE_NOTFOUND:
449 case RLM_MODULE_UPDATED:
451 case RLM_MODULE_HANDLED:
453 case RLM_MODULE_FAIL:
454 case RLM_MODULE_INVALID:
455 case RLM_MODULE_REJECT:
456 case RLM_MODULE_USERLOCK:
458 if ((module_msg = pairfind(request->packet->vps, PW_MODULE_FAILURE_MESSAGE, 0, TAG_ANY)) != NULL) {
459 char msg[MAX_STRING_LEN + 16];
460 snprintf(msg, sizeof(msg), "Invalid user (%s)",
461 module_msg->vp_strvalue);
462 rad_authlog(msg,request,0);
464 rad_authlog("Invalid user", request, 0);
466 request->reply->code = PW_AUTHENTICATION_REJECT;
470 tmp = pairfind(request->config_items, PW_AUTZ_TYPE, 0, TAG_ANY);
472 autz_type = tmp->vp_integer;
473 RDEBUG2("Using Autz-Type %s",
474 dict_valnamebyattr(PW_AUTZ_TYPE, 0, autz_type));
481 * If we haven't already proxied the packet, then check
482 * to see if we should. Maybe one of the authorize
483 * modules has decided that a proxy should be used. If
484 * so, get out of here and send the packet.
488 (request->proxy == NULL) &&
490 ((tmp = pairfind(request->config_items, PW_PROXY_TO_REALM, 0, TAG_ANY)) != NULL)) {
493 realm = realm_find2(tmp->vp_strvalue);
496 * Don't authenticate, as the request is going to
499 if (realm && realm->auth_pool) {
500 return RLM_MODULE_OK;
504 * Catch users who set Proxy-To-Realm to a LOCAL
505 * realm (sigh). But don't complain if it is
508 if (realm &&(strcmp(realm->name, "LOCAL") != 0)) {
509 RDEBUG2("WARNING: You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling proxy request.", realm->name);
513 RDEBUG2("WARNING: You set Proxy-To-Realm = %s, but the realm does not exist! Cancelling invalid proxy request.", tmp->vp_strvalue);
522 * Perhaps there is a Stripped-User-Name now.
524 namepair = request->username;
530 result = rad_check_password(request);
533 return RLM_MODULE_HANDLED;
538 * Failed to validate the user.
540 * We PRESUME that the code which failed will clean up
541 * request->reply->vps, to be ONLY the reply items it
542 * wants to send back.
545 RDEBUG2("Failed to authenticate the user.");
546 request->reply->code = PW_AUTHENTICATION_REJECT;
548 if ((module_msg = pairfind(request->packet->vps, PW_MODULE_FAILURE_MESSAGE, 0, TAG_ANY)) != NULL){
549 char msg[MAX_STRING_LEN+19];
551 snprintf(msg, sizeof(msg), "Login incorrect (%s)",
552 module_msg->vp_strvalue);
553 rad_authlog(msg, request, 0);
555 rad_authlog("Login incorrect", request, 0);
558 /* double check: maybe the secret is wrong? */
559 if ((debug_flag > 1) && (auth_item != NULL) &&
560 (auth_item->attribute == PW_USER_PASSWORD)) {
563 p = (uint8_t *) auth_item->vp_strvalue;
567 size = fr_utf8_char(p);
569 log_debug(" WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!");
577 #ifdef WITH_SESSION_MGMT
579 (check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE, 0, TAG_ANY)) != NULL) {
580 int r, session_type = 0;
582 char umsg[MAX_STRING_LEN + 1];
583 const char *user_msg = NULL;
585 tmp = pairfind(request->config_items, PW_SESSION_TYPE, 0, TAG_ANY);
587 session_type = tmp->vp_integer;
588 RDEBUG2("Using Session-Type %s",
589 dict_valnamebyattr(PW_SESSION_TYPE, 0, session_type));
593 * User authenticated O.K. Now we have to check
594 * for the Simultaneous-Use parameter.
597 (r = module_checksimul(session_type, request, check_item->vp_integer)) != 0) {
601 /* Multilink attempt. Check if port-limit > simultaneous-use */
602 VALUE_PAIR *port_limit;
604 if ((port_limit = pairfind(request->reply->vps, PW_PORT_LIMIT, 0, TAG_ANY)) != NULL &&
605 port_limit->vp_integer > check_item->vp_integer){
606 RDEBUG2("MPP is OK");
611 if (check_item->vp_integer > 1) {
612 snprintf(umsg, sizeof(umsg),
613 "\r\nYou are already logged in %d times - access denied\r\n\n",
614 (int)check_item->vp_integer);
617 user_msg = "\r\nYou are already logged in - access denied\r\n\n";
620 request->reply->code = PW_AUTHENTICATION_REJECT;
623 * They're trying to log in too many times.
624 * Remove ALL reply attributes.
626 pairfree(&request->reply->vps);
627 radius_pairmake(request, &request->reply->vps,
631 snprintf(logstr, sizeof(logstr), "Multiple logins (max %d) %s",
632 check_item->vp_integer,
633 r == 2 ? "[MPP attempt]" : "");
634 rad_authlog(logstr, request, 1);
643 * Result should be >= 0 here - if not, it means the user
644 * is rejected, so we just process post-auth and return.
647 return RLM_MODULE_REJECT;
651 * Set the reply to Access-Accept, if it hasn't already
652 * been set to something. (i.e. Access-Challenge)
654 if (request->reply->code == 0)
655 request->reply->code = PW_AUTHENTICATION_ACK;
657 if ((module_msg = pairfind(request->packet->vps, PW_MODULE_SUCCESS_MESSAGE, 0, TAG_ANY)) != NULL){
658 char msg[MAX_STRING_LEN+12];
660 snprintf(msg, sizeof(msg), "Login OK (%s)",
661 module_msg->vp_strvalue);
662 rad_authlog(msg, request, 1);
664 rad_authlog("Login OK", request, 1);
671 * Run a virtual server auth and postauth
674 int rad_virtual_server(REQUEST *request)
680 * We currently only handle AUTH packets here.
681 * This could be expanded to handle other packets as well if required.
683 rad_assert(request->packet->code == PW_AUTHENTICATION_REQUEST);
685 result = rad_authenticate(request);
687 if (request->reply->code == PW_AUTHENTICATION_REJECT) {
688 pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0, TAG_ANY);
689 vp = radius_pairmake(request, &request->config_items,
690 "Post-Auth-Type", "Reject",
692 if (vp) rad_postauth(request);
695 if (request->reply->code == PW_AUTHENTICATION_ACK) {
696 rad_postauth(request);