From: Matthew Newton Date: Wed, 3 Oct 2012 00:14:44 +0000 (+0100) Subject: remove auth check against User-Password, add autz warning X-Git-Tag: docs_marker_master~325^2~5^2~1 X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;h=24d7921c043792b3428c37e8737e45fcd1be0fd3;p=freeradius.git remove auth check against User-Password, add autz warning --- diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c index 54bfa43..7828606 100644 --- a/src/modules/rlm_pap/rlm_pap.c +++ b/src/modules/rlm_pap/rlm_pap.c @@ -260,16 +260,12 @@ static int pap_authorize(void *instance, REQUEST *request) switch (vp->attribute) { case PW_USER_PASSWORD: /* deprecated */ - found_pw = TRUE; - - /* - * Look for '{foo}', and use them - */ - if (!inst->auto_header || - (vp->vp_strvalue[0] != '{')) { - break; - } - /* FALL-THROUGH */ + RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); + RDEBUG("!!! Please update your configuration so that the \"known !!!"); + RDEBUG("!!! good\" clear text password is in Cleartext-Password, !!!"); + RDEBUG("!!! and NOT in User-Password. !!!"); + RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); + break; case PW_PASSWORD_WITH_HEADER: /* preferred */ { @@ -290,8 +286,7 @@ static int pap_authorize(void *instance, REQUEST *request) * Password already exists: use * that instead of this one. */ - if (pairfind(request->config_items, PW_USER_PASSWORD, 0) || - pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0)) { + if (pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0)) { RDEBUG("Config already contains \"known good\" password. Ignoring Password-With-Header"); break; } @@ -336,14 +331,6 @@ static int pap_authorize(void *instance, REQUEST *request) new_vp->length = vp->length; new_vp->length -= (p - q + 1); memcpy(new_vp->vp_strvalue, p + 1, new_vp->length); - - /* - * May be old-style User-Password with header. - * We've found the header & created the proper - * attribute, so we should delete the old - * User-Password here. - */ - pairdelete(&request->config_items, PW_USER_PASSWORD, 0); } break; @@ -501,8 +488,7 @@ static int pap_authenticate(void *instance, REQUEST *request) */ for (vp = request->config_items; vp != NULL; vp = vp->next) { switch (vp->attribute) { - case PW_USER_PASSWORD: /* deprecated */ - case PW_CLEARTEXT_PASSWORD: /* preferred */ + case PW_CLEARTEXT_PASSWORD: auth_func = &pap_auth_clear; break; @@ -579,14 +565,6 @@ static int pap_authenticate(void *instance, REQUEST *request) static int pap_auth_clear(REQUEST *request, VALUE_PAIR *vp, char *fmsg) { - if (vp->attribute == PW_USER_PASSWORD) { - RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); - RDEBUG("!!! Please update your configuration so that the \"known !!!"); - RDEBUG("!!! good\" clear text password is in Cleartext-Password, !!!"); - RDEBUG("!!! and NOT in User-Password. !!!"); - RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); - } - RDEBUG("Using clear text password \"%s\"", vp->vp_strvalue); if ((vp->length != request->password->length) ||