2 * auth.c User authentication.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2000,2006 The FreeRADIUS server project
21 * Copyright 2000 Miquel van Smoorenburg <miquels@cistron.nl>
22 * Copyright 2000 Jeff Carneal <jeff@apex.net>
25 #include <freeradius-devel/ident.h>
28 #include <freeradius-devel/radiusd.h>
29 #include <freeradius-devel/modules.h>
30 #include <freeradius-devel/rad_assert.h>
35 * Return a short string showing the terminal server, port
36 * and calling station ID.
38 char *auth_name(char *buf, size_t buflen, REQUEST *request, int do_cli)
44 if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID)) == NULL)
46 if ((pair = pairfind(request->packet->vps, PW_NAS_PORT)) != NULL)
47 port = pair->vp_integer;
49 snprintf(buf, buflen, "from client %.128s port %u%s%.128s%s",
50 request->client->shortname, port,
51 (do_cli ? " cli " : ""), (do_cli ? (char *)cli->vp_strvalue : ""),
52 (request->packet->dst_port == 0) ? " via TLS tunnel" : "");
60 * Make sure user/pass are clean
63 static int rad_authlog(const char *msg, REQUEST *request, int goodpass) {
65 char clean_password[1024];
66 char clean_username[1024];
68 VALUE_PAIR *username = NULL;
70 if (!request->root->log_auth) {
75 * Get the correct username based on the configured value
77 if (log_stripped_names == 0) {
78 username = pairfind(request->packet->vps, PW_USER_NAME);
80 username = request->username;
84 * Clean up the username
86 if (username == NULL) {
87 strcpy(clean_username, "<no User-Name attribute>");
89 librad_safeprint((char *)username->vp_strvalue,
91 clean_username, sizeof(clean_username));
95 * Clean up the password
97 if (request->root->log_auth_badpass || request->root->log_auth_goodpass) {
98 if (!request->password) {
99 VALUE_PAIR *auth_type;
101 auth_type = pairfind(request->config_items,
103 if (auth_type && (auth_type->vp_strvalue[0] != '\0')) {
104 snprintf(clean_password, sizeof(clean_password),
105 "<via Auth-Type = %s>",
106 auth_type->vp_strvalue);
108 strcpy(clean_password, "<no User-Password attribute>");
110 } else if (pairfind(request->packet->vps, PW_CHAP_PASSWORD)) {
111 strcpy(clean_password, "<CHAP-Password>");
113 librad_safeprint((char *)request->password->vp_strvalue,
114 request->password->length,
115 clean_password, sizeof(clean_password));
120 radlog(L_AUTH, "%s: [%s%s%s] (%s)",
123 request->root->log_auth_goodpass ? "/" : "",
124 request->root->log_auth_goodpass ? clean_password : "",
125 auth_name(buf, sizeof(buf), request, 1));
127 radlog(L_AUTH, "%s: [%s%s%s] (%s)",
130 request->root->log_auth_badpass ? "/" : "",
131 request->root->log_auth_badpass ? clean_password : "",
132 auth_name(buf, sizeof(buf), request, 1));
143 * -2 Rejected (Auth-Type = Reject, send Port-Message back)
144 * 1 End check & return, don't reply
146 * NOTE: NOT the same as the RLM_ values !
148 static int rad_check_password(REQUEST *request)
150 VALUE_PAIR *auth_type_pair;
151 VALUE_PAIR *cur_config_item;
152 VALUE_PAIR *password_pair;
153 VALUE_PAIR *auth_item;
154 uint8_t my_chap[MAX_STRING_LEN];
157 int auth_type_count = 0;
161 * Look for matching check items. We skip the whole lot
162 * if the authentication type is PW_AUTHTYPE_ACCEPT or
163 * PW_AUTHTYPE_REJECT.
165 cur_config_item = request->config_items;
166 while(((auth_type_pair = pairfind(cur_config_item, PW_AUTH_TYPE))) != NULL) {
167 auth_type = auth_type_pair->vp_integer;
170 DEBUG2(" rad_check_password: Found Auth-Type %s",
171 auth_type_pair->vp_strvalue);
172 cur_config_item = auth_type_pair->next;
174 if (auth_type == PW_AUTHTYPE_REJECT) {
175 DEBUG2(" rad_check_password: Auth-Type = Reject, rejecting user");
180 if (( auth_type_count > 1) && (debug_flag)) {
181 radlog(L_ERR, "Warning: Found %d auth-types on request for user '%s'",
182 auth_type_count, request->username->vp_strvalue);
186 * This means we have a proxy reply or an accept
187 * and it wasn't rejected in the above loop. So
188 * that means it is accepted and we do no further
191 if ((auth_type == PW_AUTHTYPE_ACCEPT) || (request->proxy)) {
192 DEBUG2(" rad_check_password: Auth-Type = Accept, accepting the user");
196 password_pair = pairfind(request->config_items, PW_USER_PASSWORD);
198 pairfind(request->config_items, PW_CLEARTEXT_PASSWORD)) {
199 pairdelete(&request->config_items, PW_USER_PASSWORD);
200 password_pair = NULL;
206 DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
207 DEBUG("!!! Replacing User-Password in config items with Cleartext-Password. !!!");
208 DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
209 DEBUG("!!! Please update your configuration so that the \"known good\" !!!");
210 DEBUG("!!! clear text password is in Cleartext-Password, and not in User-Password. !!!");
211 DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
212 password_pair->attribute = PW_CLEARTEXT_PASSWORD;
213 da = dict_attrbyvalue(PW_CLEARTEXT_PASSWORD);
215 radlog(L_ERR, "FATAL: You broke the dictionaries. Please use the default dictionaries!");
219 password_pair->name = da->name;
223 * Find the "known good" password.
225 * FIXME: We should get rid of these hacks, and replace
226 * them with a module.
228 if ((password_pair = pairfind(request->config_items, PW_CRYPT_PASSWORD)) != NULL) {
230 * Re-write Auth-Type, but ONLY if it isn't already
233 if (auth_type == -1) auth_type = PW_AUTHTYPE_CRYPT;
235 password_pair = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD);
240 auth_type = PW_AUTHTYPE_LOCAL;
243 * The admin hasn't told us how to
244 * authenticate the user, so we reject them!
248 DEBUG2("auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user");
256 case PW_AUTHTYPE_CRYPT:
258 * Find the password sent by the user. It
259 * SHOULD be there, if it's not
260 * authentication fails.
262 auth_item = request->password;
263 if (auth_item == NULL) {
264 DEBUG2("auth: No User-Password or CHAP-Password attribute in the request");
268 DEBUG2("auth: type Crypt");
269 if (password_pair == NULL) {
270 DEBUG2("No Crypt-Password configured for the user");
271 rad_authlog("Login incorrect "
272 "(No Crypt-Password configured for the user)", request, 0);
276 switch (fr_crypt_check((char *)auth_item->vp_strvalue,
277 (char *)password_pair->vp_strvalue)) {
279 rad_authlog("Login incorrect "
280 "(system failed to supply an encrypted password for comparison)", request, 0);
285 case PW_AUTHTYPE_LOCAL:
286 DEBUG2("auth: type Local");
289 * Find the password sent by the user. It
290 * SHOULD be there, if it's not
291 * authentication fails.
293 auth_item = request->password;
295 auth_item = pairfind(request->packet->vps,
298 DEBUG2("auth: No User-Password or CHAP-Password attribute in the request");
303 * Plain text password.
305 if (password_pair == NULL) {
306 DEBUG2("auth: No password configured for the user");
307 rad_authlog("Login incorrect "
308 "(No password configured for the user)", request, 0);
313 * Local password is just plain text.
315 if (auth_item->attribute == PW_USER_PASSWORD) {
316 if (strcmp((char *)password_pair->vp_strvalue,
317 (char *)auth_item->vp_strvalue) != 0) {
318 DEBUG2("auth: user supplied User-Password does NOT match local User-Password");
321 DEBUG2("auth: user supplied User-Password matches local User-Password");
324 } else if (auth_item->attribute != PW_CHAP_PASSWORD) {
325 DEBUG2("The user did not supply a User-Password or a CHAP-Password attribute");
326 rad_authlog("Login incorrect "
327 "(no User-Password or CHAP-Password attribute)", request, 0);
331 rad_chap_encode(request->packet, my_chap,
332 auth_item->vp_octets[0], password_pair);
337 if (memcmp(my_chap + 1, auth_item->vp_strvalue + 1,
338 CHAP_VALUE_LENGTH) != 0) {
339 DEBUG2("auth: user supplied CHAP-Password does NOT match local User-Password");
342 DEBUG2("auth: user supplied CHAP-Password matches local User-Password");
345 dval = dict_valbyattr(PW_AUTH_TYPE, auth_type);
347 DEBUG2("auth: type \"%s\"", dval->name);
349 DEBUG2("auth: type UNKNOWN-%d", auth_type);
353 * See if there is a module that handles
354 * this type, and turn the RLM_ return
355 * status into the values as defined at
356 * the top of this function.
358 result = module_authenticate(auth_type, request);
361 * An authentication module FAIL
362 * return code, or any return code that
363 * is not expected from authentication,
364 * is the same as an explicit REJECT!
366 case RLM_MODULE_FAIL:
367 case RLM_MODULE_INVALID:
368 case RLM_MODULE_NOOP:
369 case RLM_MODULE_NOTFOUND:
370 case RLM_MODULE_REJECT:
371 case RLM_MODULE_UPDATED:
372 case RLM_MODULE_USERLOCK:
379 case RLM_MODULE_HANDLED:
390 * Post-authentication step processes the response before it is
391 * sent to the NAS. It can receive both Access-Accept and Access-Reject
394 int rad_postauth(REQUEST *request)
397 int postauth_type = 0;
401 * Do post-authentication calls. ignoring the return code.
403 vp = pairfind(request->config_items, PW_POST_AUTH_TYPE);
405 DEBUG2(" Found Post-Auth-Type %s", vp->vp_strvalue);
406 postauth_type = vp->vp_integer;
408 result = module_post_auth(postauth_type, request);
411 * The module failed, or said to reject the user: Do so.
413 case RLM_MODULE_FAIL:
414 case RLM_MODULE_INVALID:
415 case RLM_MODULE_REJECT:
416 case RLM_MODULE_USERLOCK:
418 request->reply->code = PW_AUTHENTICATION_REJECT;
419 result = RLM_MODULE_REJECT;
422 * The module handled the request, cancel the reply.
424 case RLM_MODULE_HANDLED:
428 * The module had a number of OK return codes.
430 case RLM_MODULE_NOOP:
431 case RLM_MODULE_NOTFOUND:
433 case RLM_MODULE_UPDATED:
434 result = RLM_MODULE_OK;
441 * Process and reply to an authentication request
443 * The return value of this function isn't actually used right now, so
444 * it's not entirely clear if it is returning the right things. --Pac.
446 int rad_authenticate(REQUEST *request)
448 VALUE_PAIR *namepair;
449 VALUE_PAIR *check_item;
450 VALUE_PAIR *auth_item;
451 VALUE_PAIR *module_msg;
452 VALUE_PAIR *tmp = NULL;
454 char umsg[MAX_STRING_LEN + 1];
455 const char *user_msg = NULL;
456 const char *password;
464 * If this request got proxied to another server, we need
465 * to check whether it authenticated the request or not.
467 if (request->proxy_reply) {
468 switch (request->proxy_reply->code) {
470 * Reply of ACCEPT means accept, thus set Auth-Type
473 case PW_AUTHENTICATION_ACK:
474 tmp = radius_paircreate(request,
475 &request->config_items,
476 PW_AUTH_TYPE, PW_TYPE_INTEGER);
477 if (tmp) tmp->vp_integer = PW_AUTHTYPE_ACCEPT;
481 * Challenges are punted back to the NAS without any
482 * further processing.
484 case PW_ACCESS_CHALLENGE:
485 request->reply->code = PW_ACCESS_CHALLENGE;
486 return RLM_MODULE_OK;
488 * ALL other replies mean reject. (this is fail-safe)
490 * Do NOT do any authorization or authentication. They
491 * are being rejected, so we minimize the amount of work
492 * done by the server, by rejecting them here.
494 case PW_AUTHENTICATION_REJECT:
496 rad_authlog("Login incorrect (Home Server says so)",
498 request->reply->code = PW_AUTHENTICATION_REJECT;
499 return RLM_MODULE_REJECT;
504 * Get the username from the request.
506 * Note that namepair MAY be NULL, in which case there
507 * is no User-Name attribute in the request.
509 namepair = request->username;
512 * Look for, and cache, passwords.
514 if (!request->password) {
515 request->password = pairfind(request->packet->vps,
520 * Discover which password we want to use.
522 auth_item = request->password;
524 password = (const char *)auth_item->vp_strvalue;
528 * Maybe there's a CHAP-Password?
530 if ((auth_item = pairfind(request->packet->vps,
531 PW_CHAP_PASSWORD)) != NULL) {
532 password = "<CHAP-PASSWORD>";
536 * No password we recognize.
538 password = "<NO-PASSWORD>";
541 request->password = auth_item;
544 * Get the user's authorization information from the database
547 result = module_authorize(autz_type, request);
549 case RLM_MODULE_NOOP:
550 case RLM_MODULE_NOTFOUND:
552 case RLM_MODULE_UPDATED:
554 case RLM_MODULE_HANDLED:
556 case RLM_MODULE_FAIL:
557 case RLM_MODULE_INVALID:
558 case RLM_MODULE_REJECT:
559 case RLM_MODULE_USERLOCK:
561 if ((module_msg = pairfind(request->packet->vps,
562 PW_MODULE_FAILURE_MESSAGE)) != NULL) {
563 char msg[MAX_STRING_LEN + 16];
564 snprintf(msg, sizeof(msg), "Invalid user (%s)",
565 module_msg->vp_strvalue);
566 rad_authlog(msg,request,0);
568 rad_authlog("Invalid user", request, 0);
570 request->reply->code = PW_AUTHENTICATION_REJECT;
574 tmp = pairfind(request->config_items, PW_AUTZ_TYPE);
576 DEBUG2(" Found Autz-Type %s", tmp->vp_strvalue);
577 autz_type = tmp->vp_integer;
584 * If we haven't already proxied the packet, then check
585 * to see if we should. Maybe one of the authorize
586 * modules has decided that a proxy should be used. If
587 * so, get out of here and send the packet.
589 if ((request->proxy == NULL) &&
590 ((tmp = pairfind(request->config_items, PW_PROXY_TO_REALM)) != NULL)) {
593 realm = realm_find2(tmp->vp_strvalue);
596 * Don't authenticate, as the request is going to
599 if (realm && realm->auth_pool) {
600 return RLM_MODULE_OK;
604 * Catch users who set Proxy-To-Realm to a LOCAL
605 * realm (sigh). But don't complain if it is
608 if (realm &&(strcmp(realm->name, "LOCAL") != 0)) {
609 DEBUG2(" WARNING: You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling invalid proxy request.", realm->name);
613 DEBUG2(" WARNING: You set Proxy-To-Realm = %s, but the realm does not exist! Cancelling invalid proxy request.", tmp->vp_strvalue);
619 * Perhaps there is a Stripped-User-Name now.
621 namepair = request->username;
627 result = rad_check_password(request);
630 return RLM_MODULE_HANDLED;
635 * Failed to validate the user.
637 * We PRESUME that the code which failed will clean up
638 * request->reply->vps, to be ONLY the reply items it
639 * wants to send back.
642 DEBUG2("auth: Failed to validate the user.");
643 request->reply->code = PW_AUTHENTICATION_REJECT;
645 if ((module_msg = pairfind(request->packet->vps,PW_MODULE_FAILURE_MESSAGE)) != NULL){
646 char msg[MAX_STRING_LEN+19];
648 snprintf(msg, sizeof(msg), "Login incorrect (%s)",
649 module_msg->vp_strvalue);
650 rad_authlog(msg, request, 0);
652 rad_authlog("Login incorrect", request, 0);
655 /* double check: maybe the secret is wrong? */
656 if ((debug_flag > 1) && (auth_item != NULL) &&
657 (auth_item->attribute == PW_USER_PASSWORD)) {
660 p = auth_item->vp_strvalue;
662 if (!isprint((int) *p)) {
663 log_debug(" WARNING: Unprintable characters in the password.\n\t Double-check the shared secret on the server and the NAS!");
672 (check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE)) != NULL) {
673 int r, session_type = 0;
675 tmp = pairfind(request->config_items, PW_SESSION_TYPE);
677 DEBUG2(" Found Session-Type %s", tmp->vp_strvalue);
678 session_type = tmp->vp_integer;
682 * User authenticated O.K. Now we have to check
683 * for the Simultaneous-Use parameter.
686 (r = module_checksimul(session_type, request, check_item->vp_integer)) != 0) {
690 /* Multilink attempt. Check if port-limit > simultaneous-use */
691 VALUE_PAIR *port_limit;
693 if ((port_limit = pairfind(request->reply->vps, PW_PORT_LIMIT)) != NULL &&
694 port_limit->vp_integer > check_item->vp_integer){
695 DEBUG2("main auth: MPP is OK");
700 if (check_item->vp_integer > 1) {
701 snprintf(umsg, sizeof(umsg),
702 "\r\nYou are already logged in %d times - access denied\r\n\n",
703 (int)check_item->vp_integer);
706 user_msg = "\r\nYou are already logged in - access denied\r\n\n";
709 request->reply->code = PW_AUTHENTICATION_REJECT;
712 * They're trying to log in too many times.
713 * Remove ALL reply attributes.
715 pairfree(&request->reply->vps);
716 radius_pairmake(request, &request->reply->vps,
720 snprintf(logstr, sizeof(logstr), "Multiple logins (max %d) %s",
721 check_item->vp_integer,
722 r == 2 ? "[MPP attempt]" : "");
723 rad_authlog(logstr, request, 1);
731 * Result should be >= 0 here - if not, it means the user
732 * is rejected, so we just process post-auth and return.
735 return RLM_MODULE_REJECT;
739 * We might need this later. The 'password' string
740 * is NOT used anywhere below here, except for logging,
741 * so it should be safe...
743 if ((auth_item != NULL) && (auth_item->attribute == PW_CHAP_PASSWORD)) {
744 password = "CHAP-Password";
748 * Add the port number to the Framed-IP-Address if
749 * vp->addport is set.
751 if (((tmp = pairfind(request->reply->vps,
752 PW_FRAMED_IP_ADDRESS)) != NULL) &&
753 (tmp->flags.addport != 0)) {
754 VALUE_PAIR *vpPortId;
757 * Find the NAS port ID.
759 if ((vpPortId = pairfind(request->packet->vps,
760 PW_NAS_PORT)) != NULL) {
761 unsigned long tvalue = ntohl(tmp->vp_integer);
762 tmp->vp_integer = htonl(tvalue + vpPortId->vp_integer);
763 tmp->flags.addport = 0;
764 ip_ntoa(tmp->vp_strvalue, tmp->vp_integer);
766 DEBUG2("WARNING: No NAS-Port attribute in request. CANNOT return a Framed-IP-Address + NAS-Port.\n");
767 pairdelete(&request->reply->vps, PW_FRAMED_IP_ADDRESS);
772 * Set the reply to Access-Accept, if it hasn't already
773 * been set to something. (i.e. Access-Challenge)
775 if (request->reply->code == 0)
776 request->reply->code = PW_AUTHENTICATION_ACK;
778 if ((module_msg = pairfind(request->packet->vps,PW_MODULE_SUCCESS_MESSAGE)) != NULL){
779 char msg[MAX_STRING_LEN+12];
781 snprintf(msg, sizeof(msg), "Login OK (%s)",
782 module_msg->vp_strvalue);
783 rad_authlog(msg, request, 1);
785 rad_authlog("Login OK", request, 1);
789 * Run the modules in the 'post-auth' section.
791 result = rad_postauth(request);