2 * auth.c User authentication.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2000,2006 The FreeRADIUS server project
21 * Copyright 2000 Miquel van Smoorenburg <miquels@cistron.nl>
22 * Copyright 2000 Jeff Carneal <jeff@apex.net>
25 #include <freeradius-devel/ident.h>
28 #include <freeradius-devel/radiusd.h>
29 #include <freeradius-devel/modules.h>
30 #include <freeradius-devel/rad_assert.h>
35 * Return a short string showing the terminal server, port
36 * and calling station ID.
38 char *auth_name(char *buf, size_t buflen, REQUEST *request, int do_cli)
44 if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID, 0)) == NULL)
46 if ((pair = pairfind(request->packet->vps, PW_NAS_PORT, 0)) != NULL)
47 port = pair->vp_integer;
49 snprintf(buf, buflen, "from client %.128s port %u%s%.128s%s",
50 request->client->shortname, port,
51 (do_cli ? " cli " : ""), (do_cli ? (char *)cli->vp_strvalue : ""),
52 (request->packet->dst_port == 0) ? " via TLS tunnel" : "");
60 * Make sure user/pass are clean
63 static int rad_authlog(const char *msg, REQUEST *request, int goodpass)
66 const char *extra_msg = NULL;
67 char clean_password[1024];
68 char clean_username[1024];
71 VALUE_PAIR *username = NULL;
73 if (!request->root->log_auth) {
78 * Get the correct username based on the configured value
80 if (log_stripped_names == 0) {
81 username = pairfind(request->packet->vps, PW_USER_NAME, 0);
83 username = request->username;
87 * Clean up the username
89 if (username == NULL) {
90 strcpy(clean_username, "<no User-Name attribute>");
92 fr_print_string((char *)username->vp_strvalue,
94 clean_username, sizeof(clean_username));
98 * Clean up the password
100 if (request->root->log_auth_badpass || request->root->log_auth_goodpass) {
101 if (!request->password) {
102 VALUE_PAIR *auth_type;
104 auth_type = pairfind(request->config_items,
106 if (auth_type && (auth_type->vp_strvalue[0] != '\0')) {
107 snprintf(clean_password, sizeof(clean_password),
108 "<via Auth-Type = %s>",
109 auth_type->vp_strvalue);
111 strcpy(clean_password, "<no User-Password attribute>");
113 } else if (pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0)) {
114 strcpy(clean_password, "<CHAP-Password>");
116 fr_print_string((char *)request->password->vp_strvalue,
117 request->password->length,
118 clean_password, sizeof(clean_password));
123 logit = request->root->log_auth_goodpass;
124 extra_msg = request->root->auth_goodpass_msg;
126 logit = request->root->log_auth_badpass;
127 extra_msg = request->root->auth_badpass_msg;
132 radius_xlat(extra + 1, sizeof(extra) - 1, extra_msg, request,
138 radlog_request(L_AUTH, 0, request, "%s: [%s%s%s] (%s)%s",
142 logit ? clean_password : "",
143 auth_name(buf, sizeof(buf), request, 1),
154 * -2 Rejected (Auth-Type = Reject, send Port-Message back)
155 * 1 End check & return, don't reply
157 * NOTE: NOT the same as the RLM_ values !
159 static int rad_check_password(REQUEST *request)
161 VALUE_PAIR *auth_type_pair;
162 VALUE_PAIR *cur_config_item;
163 VALUE_PAIR *password_pair;
164 VALUE_PAIR *auth_item;
165 uint8_t my_chap[MAX_STRING_LEN];
168 int auth_type_count = 0;
172 * Look for matching check items. We skip the whole lot
173 * if the authentication type is PW_AUTHTYPE_ACCEPT or
174 * PW_AUTHTYPE_REJECT.
176 cur_config_item = request->config_items;
177 while(((auth_type_pair = pairfind(cur_config_item, PW_AUTH_TYPE, 0))) != NULL) {
178 auth_type = auth_type_pair->vp_integer;
180 DICT_VALUE *dv = dict_valbyattr(auth_type_pair->attribute,
181 auth_type_pair->vp_integer, 0);
183 RDEBUG2("Found Auth-Type = %s",
184 (dv != NULL) ? dv->name : "?");
185 cur_config_item = auth_type_pair->next;
187 if (auth_type == PW_AUTHTYPE_REJECT) {
188 RDEBUG2("Auth-Type = Reject, rejecting user");
193 if (( auth_type_count > 1) && (debug_flag)) {
194 radlog_request(L_ERR, 0, request, "Warning: Found %d auth-types on request for user '%s'",
195 auth_type_count, request->username->vp_strvalue);
199 * This means we have a proxy reply or an accept
200 * and it wasn't rejected in the above loop. So
201 * that means it is accepted and we do no further
204 if ((auth_type == PW_AUTHTYPE_ACCEPT)
209 RDEBUG2("Auth-Type = Accept, accepting the user");
213 password_pair = pairfind(request->config_items, PW_USER_PASSWORD, 0);
215 pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0)) {
216 pairdelete(&request->config_items, PW_USER_PASSWORD, 0);
217 password_pair = NULL;
223 RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
224 RDEBUG("!!! Replacing User-Password in config items with Cleartext-Password. !!!");
225 RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
226 RDEBUG("!!! Please update your configuration so that the \"known good\" !!!");
227 RDEBUG("!!! clear text password is in Cleartext-Password, and not in User-Password. !!!");
228 RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
229 password_pair->attribute = PW_CLEARTEXT_PASSWORD;
230 da = dict_attrbyvalue(PW_CLEARTEXT_PASSWORD, 0);
232 radlog_request(L_ERR, 0, request, "FATAL: You broke the dictionaries. Please use the default dictionaries!");
236 password_pair->name = da->name;
240 * Find the "known good" password.
242 * FIXME: We should get rid of these hacks, and replace
243 * them with a module.
245 if ((password_pair = pairfind(request->config_items, PW_CRYPT_PASSWORD, 0)) != NULL) {
247 * Re-write Auth-Type, but ONLY if it isn't already
250 if (auth_type == -1) auth_type = PW_AUTHTYPE_CRYPT;
252 password_pair = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0);
257 auth_type = PW_AUTHTYPE_LOCAL;
260 * The admin hasn't told us how to
261 * authenticate the user, so we reject them!
265 RDEBUG2("ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user");
271 case PW_AUTHTYPE_CRYPT:
272 RDEBUG2("WARNING: Please update your configuration, and remove 'Auth-Type = Crypt'");
273 RDEBUG2("WARNING: Use the PAP module instead.");
276 * Find the password sent by the user. It
277 * SHOULD be there, if it's not
278 * authentication fails.
280 auth_item = request->password;
281 if (auth_item == NULL) {
282 RDEBUG2("No User-Password or CHAP-Password attribute in the request");
286 if (password_pair == NULL) {
287 RDEBUG2("No Crypt-Password configured for the user");
288 rad_authlog("Login incorrect "
289 "(No Crypt-Password configured for the user)", request, 0);
293 switch (fr_crypt_check((char *)auth_item->vp_strvalue,
294 (char *)password_pair->vp_strvalue)) {
296 rad_authlog("Login incorrect "
297 "(system failed to supply an encrypted password for comparison)", request, 0);
302 case PW_AUTHTYPE_LOCAL:
303 RDEBUG2("WARNING: Please update your configuration, and remove 'Auth-Type = Local'");
304 RDEBUG2("WARNING: Use the PAP or CHAP modules instead.");
307 * Find the password sent by the user. It
308 * SHOULD be there, if it's not
309 * authentication fails.
311 auth_item = request->password;
313 auth_item = pairfind(request->packet->vps,
314 PW_CHAP_PASSWORD, 0);
316 RDEBUG2("No User-Password or CHAP-Password attribute in the request.");
317 RDEBUG2("Cannot perform authentication.");
322 * Plain text password.
324 if (password_pair == NULL) {
325 RDEBUG2("No \"known good\" password was configured for the user.");
326 RDEBUG2("As a result, we cannot authenticate the user.");
327 rad_authlog("Login incorrect "
328 "(No password configured for the user)", request, 0);
333 * Local password is just plain text.
335 if (auth_item->attribute == PW_USER_PASSWORD) {
336 if (strcmp((char *)password_pair->vp_strvalue,
337 (char *)auth_item->vp_strvalue) != 0) {
338 RDEBUG2("User-Password in the request does NOT match \"known good\" password.");
341 RDEBUG2("User-Password in the request is correct.");
344 } else if (auth_item->attribute != PW_CHAP_PASSWORD) {
345 RDEBUG2("The user did not supply a User-Password or a CHAP-Password attribute");
346 rad_authlog("Login incorrect "
347 "(no User-Password or CHAP-Password attribute)", request, 0);
351 rad_chap_encode(request->packet, my_chap,
352 auth_item->vp_octets[0], password_pair);
357 if (memcmp(my_chap + 1, auth_item->vp_strvalue + 1,
358 CHAP_VALUE_LENGTH) != 0) {
359 RDEBUG2("CHAP-Password is incorrect.");
362 RDEBUG2("CHAP-Password is correct.");
366 * See if there is a module that handles
367 * this type, and turn the RLM_ return
368 * status into the values as defined at
369 * the top of this function.
371 result = module_authenticate(auth_type, request);
374 * An authentication module FAIL
375 * return code, or any return code that
376 * is not expected from authentication,
377 * is the same as an explicit REJECT!
379 case RLM_MODULE_FAIL:
380 case RLM_MODULE_INVALID:
381 case RLM_MODULE_NOOP:
382 case RLM_MODULE_NOTFOUND:
383 case RLM_MODULE_REJECT:
384 case RLM_MODULE_UPDATED:
385 case RLM_MODULE_USERLOCK:
392 case RLM_MODULE_HANDLED:
403 * Post-authentication step processes the response before it is
404 * sent to the NAS. It can receive both Access-Accept and Access-Reject
407 int rad_postauth(REQUEST *request)
410 int postauth_type = 0;
414 * Do post-authentication calls. ignoring the return code.
416 vp = pairfind(request->config_items, PW_POST_AUTH_TYPE, 0);
418 RDEBUG2("Using Post-Auth-Type %s", vp->vp_strvalue);
419 postauth_type = vp->vp_integer;
421 result = module_post_auth(postauth_type, request);
424 * The module failed, or said to reject the user: Do so.
426 case RLM_MODULE_FAIL:
427 case RLM_MODULE_INVALID:
428 case RLM_MODULE_REJECT:
429 case RLM_MODULE_USERLOCK:
431 request->reply->code = PW_AUTHENTICATION_REJECT;
432 result = RLM_MODULE_REJECT;
435 * The module handled the request, cancel the reply.
437 case RLM_MODULE_HANDLED:
441 * The module had a number of OK return codes.
443 case RLM_MODULE_NOOP:
444 case RLM_MODULE_NOTFOUND:
446 case RLM_MODULE_UPDATED:
447 result = RLM_MODULE_OK;
454 * Process and reply to an authentication request
456 * The return value of this function isn't actually used right now, so
457 * it's not entirely clear if it is returning the right things. --Pac.
459 int rad_authenticate(REQUEST *request)
461 VALUE_PAIR *namepair;
462 #ifdef WITH_SESSION_MGMT
463 VALUE_PAIR *check_item;
465 VALUE_PAIR *auth_item = NULL;
466 VALUE_PAIR *module_msg;
467 VALUE_PAIR *tmp = NULL;
469 const char *password;
477 * If this request got proxied to another server, we need
478 * to check whether it authenticated the request or not.
480 if (request->proxy_reply) {
481 switch (request->proxy_reply->code) {
483 * Reply of ACCEPT means accept, thus set Auth-Type
486 case PW_AUTHENTICATION_ACK:
487 tmp = radius_paircreate(request,
488 &request->config_items,
489 PW_AUTH_TYPE, 0, PW_TYPE_INTEGER);
490 if (tmp) tmp->vp_integer = PW_AUTHTYPE_ACCEPT;
494 * Challenges are punted back to the NAS without any
495 * further processing.
497 case PW_ACCESS_CHALLENGE:
498 request->reply->code = PW_ACCESS_CHALLENGE;
499 return RLM_MODULE_OK;
501 * ALL other replies mean reject. (this is fail-safe)
503 * Do NOT do any authorization or authentication. They
504 * are being rejected, so we minimize the amount of work
505 * done by the server, by rejecting them here.
507 case PW_AUTHENTICATION_REJECT:
508 rad_authlog("Login incorrect (Home Server says so)",
510 request->reply->code = PW_AUTHENTICATION_REJECT;
511 return RLM_MODULE_REJECT;
514 rad_authlog("Login incorrect (Home Server failed to respond)",
516 return RLM_MODULE_REJECT;
522 * Get the username from the request.
524 * Note that namepair MAY be NULL, in which case there
525 * is no User-Name attribute in the request.
527 namepair = request->username;
530 * Look for, and cache, passwords.
532 if (!request->password) {
533 request->password = pairfind(request->packet->vps,
534 PW_USER_PASSWORD, 0);
538 * Discover which password we want to use.
540 auth_item = request->password;
542 password = (const char *)auth_item->vp_strvalue;
546 * Maybe there's a CHAP-Password?
548 if ((auth_item = pairfind(request->packet->vps,
549 PW_CHAP_PASSWORD, 0)) != NULL) {
550 password = "<CHAP-PASSWORD>";
554 * No password we recognize.
556 password = "<NO-PASSWORD>";
559 request->password = auth_item;
562 * Get the user's authorization information from the database
565 result = module_authorize(autz_type, request);
567 case RLM_MODULE_NOOP:
568 case RLM_MODULE_NOTFOUND:
570 case RLM_MODULE_UPDATED:
572 case RLM_MODULE_HANDLED:
574 case RLM_MODULE_FAIL:
575 case RLM_MODULE_INVALID:
576 case RLM_MODULE_REJECT:
577 case RLM_MODULE_USERLOCK:
579 if ((module_msg = pairfind(request->packet->vps,
580 PW_MODULE_FAILURE_MESSAGE, 0)) != NULL) {
581 char msg[MAX_STRING_LEN + 16];
582 snprintf(msg, sizeof(msg), "Invalid user (%s)",
583 module_msg->vp_strvalue);
584 rad_authlog(msg,request,0);
586 rad_authlog("Invalid user", request, 0);
588 request->reply->code = PW_AUTHENTICATION_REJECT;
592 tmp = pairfind(request->config_items, PW_AUTZ_TYPE, 0);
594 RDEBUG2("Using Autz-Type %s", tmp->vp_strvalue);
595 autz_type = tmp->vp_integer;
602 * If we haven't already proxied the packet, then check
603 * to see if we should. Maybe one of the authorize
604 * modules has decided that a proxy should be used. If
605 * so, get out of here and send the packet.
609 (request->proxy == NULL) &&
611 ((tmp = pairfind(request->config_items, PW_PROXY_TO_REALM, 0)) != NULL)) {
614 realm = realm_find2(tmp->vp_strvalue);
617 * Don't authenticate, as the request is going to
620 if (realm && realm->auth_pool) {
621 return RLM_MODULE_OK;
625 * Catch users who set Proxy-To-Realm to a LOCAL
626 * realm (sigh). But don't complain if it is
629 if (realm &&(strcmp(realm->name, "LOCAL") != 0)) {
630 RDEBUG2("WARNING: You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling proxy request.", realm->name);
634 RDEBUG2("WARNING: You set Proxy-To-Realm = %s, but the realm does not exist! Cancelling invalid proxy request.", tmp->vp_strvalue);
643 * Perhaps there is a Stripped-User-Name now.
645 namepair = request->username;
651 result = rad_check_password(request);
654 return RLM_MODULE_HANDLED;
659 * Failed to validate the user.
661 * We PRESUME that the code which failed will clean up
662 * request->reply->vps, to be ONLY the reply items it
663 * wants to send back.
666 RDEBUG2("Failed to authenticate the user.");
667 request->reply->code = PW_AUTHENTICATION_REJECT;
669 if ((module_msg = pairfind(request->packet->vps,PW_MODULE_FAILURE_MESSAGE, 0)) != NULL){
670 char msg[MAX_STRING_LEN+19];
672 snprintf(msg, sizeof(msg), "Login incorrect (%s)",
673 module_msg->vp_strvalue);
674 rad_authlog(msg, request, 0);
676 rad_authlog("Login incorrect", request, 0);
679 /* double check: maybe the secret is wrong? */
680 if ((debug_flag > 1) && (auth_item != NULL) &&
681 (auth_item->attribute == PW_USER_PASSWORD)) {
684 p = auth_item->vp_strvalue;
686 if (!isprint((int) *p)) {
687 log_debug(" WARNING: Unprintable characters in the password.\n\t Double-check the shared secret on the server and the NAS!");
695 #ifdef WITH_SESSION_MGMT
697 (check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE, 0)) != NULL) {
698 int r, session_type = 0;
700 char umsg[MAX_STRING_LEN + 1];
701 const char *user_msg = NULL;
703 tmp = pairfind(request->config_items, PW_SESSION_TYPE, 0);
705 RDEBUG2("Using Session-Type %s", tmp->vp_strvalue);
706 session_type = tmp->vp_integer;
710 * User authenticated O.K. Now we have to check
711 * for the Simultaneous-Use parameter.
714 (r = module_checksimul(session_type, request, check_item->vp_integer)) != 0) {
718 /* Multilink attempt. Check if port-limit > simultaneous-use */
719 VALUE_PAIR *port_limit;
721 if ((port_limit = pairfind(request->reply->vps, PW_PORT_LIMIT, 0)) != NULL &&
722 port_limit->vp_integer > check_item->vp_integer){
723 RDEBUG2("MPP is OK");
728 if (check_item->vp_integer > 1) {
729 snprintf(umsg, sizeof(umsg),
730 "\r\nYou are already logged in %d times - access denied\r\n\n",
731 (int)check_item->vp_integer);
734 user_msg = "\r\nYou are already logged in - access denied\r\n\n";
737 request->reply->code = PW_AUTHENTICATION_REJECT;
740 * They're trying to log in too many times.
741 * Remove ALL reply attributes.
743 pairfree(&request->reply->vps);
744 radius_pairmake(request, &request->reply->vps,
748 snprintf(logstr, sizeof(logstr), "Multiple logins (max %d) %s",
749 check_item->vp_integer,
750 r == 2 ? "[MPP attempt]" : "");
751 rad_authlog(logstr, request, 1);
760 * Result should be >= 0 here - if not, it means the user
761 * is rejected, so we just process post-auth and return.
764 return RLM_MODULE_REJECT;
768 * Add the port number to the Framed-IP-Address if
769 * vp->addport is set.
771 if (((tmp = pairfind(request->reply->vps,
772 PW_FRAMED_IP_ADDRESS, 0)) != NULL) &&
773 (tmp->flags.addport != 0)) {
774 VALUE_PAIR *vpPortId;
777 * Find the NAS port ID.
779 if ((vpPortId = pairfind(request->packet->vps,
780 PW_NAS_PORT, 0)) != NULL) {
781 unsigned long tvalue = ntohl(tmp->vp_integer);
782 tmp->vp_integer = htonl(tvalue + vpPortId->vp_integer);
783 tmp->flags.addport = 0;
784 ip_ntoa(tmp->vp_strvalue, tmp->vp_integer);
786 RDEBUG2("WARNING: No NAS-Port attribute in request. CANNOT return a Framed-IP-Address + NAS-Port.\n");
787 pairdelete(&request->reply->vps, PW_FRAMED_IP_ADDRESS, 0);
792 * Set the reply to Access-Accept, if it hasn't already
793 * been set to something. (i.e. Access-Challenge)
795 if (request->reply->code == 0)
796 request->reply->code = PW_AUTHENTICATION_ACK;
798 if ((module_msg = pairfind(request->packet->vps,PW_MODULE_SUCCESS_MESSAGE, 0)) != NULL){
799 char msg[MAX_STRING_LEN+12];
801 snprintf(msg, sizeof(msg), "Login OK (%s)",
802 module_msg->vp_strvalue);
803 rad_authlog(msg, request, 1);
805 rad_authlog("Login OK", request, 1);
809 * Run the modules in the 'post-auth' section.
811 result = rad_postauth(request);