2 * auth.c User authentication.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2000,2006 The FreeRADIUS server project
21 * Copyright 2000 Miquel van Smoorenburg <miquels@cistron.nl>
22 * Copyright 2000 Jeff Carneal <jeff@apex.net>
25 #include <freeradius-devel/ident.h>
28 #include <freeradius-devel/autoconf.h>
34 #ifdef HAVE_NETINET_IN_H
35 # include <netinet/in.h>
38 #include <freeradius-devel/radiusd.h>
39 #include <freeradius-devel/modules.h>
40 #include <freeradius-devel/rad_assert.h>
43 * Return a short string showing the terminal server, port
44 * and calling station ID.
46 char *auth_name(char *buf, size_t buflen, REQUEST *request, int do_cli) {
51 if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID)) == NULL)
53 if ((pair = pairfind(request->packet->vps, PW_NAS_PORT)) != NULL)
56 snprintf(buf, buflen, "from client %.128s port %u%s%.128s",
57 client_name_old(&request->packet->src_ipaddr), port,
58 (do_cli ? " cli " : ""), (do_cli ? (char *)cli->vp_strvalue : ""));
66 * Make sure user/pass are clean
69 static int rad_authlog(const char *msg, REQUEST *request, int goodpass) {
71 char clean_password[1024];
72 char clean_username[1024];
74 VALUE_PAIR *username = NULL;
76 if (!mainconfig.log_auth) {
81 * Get the correct username based on the configured value
83 if (log_stripped_names == 0) {
84 username = pairfind(request->packet->vps, PW_USER_NAME);
86 username = request->username;
90 * Clean up the username
92 if (username == NULL) {
93 strcpy(clean_username, "<no User-Name attribute>");
95 librad_safeprint((char *)username->vp_strvalue,
97 clean_username, sizeof(clean_username));
101 * Clean up the password
103 if (mainconfig.log_auth_badpass || mainconfig.log_auth_goodpass) {
104 if (!request->password) {
105 VALUE_PAIR *auth_type;
107 auth_type = pairfind(request->config_items,
109 if (auth_type && (auth_type->vp_strvalue[0] != '\0')) {
110 snprintf(clean_password, sizeof(clean_password),
111 "<via Auth-Type = %s>",
112 auth_type->vp_strvalue);
114 strcpy(clean_password, "<no User-Password attribute>");
116 } else if (request->password->attribute == PW_CHAP_PASSWORD) {
117 strcpy(clean_password, "<CHAP-Password>");
119 librad_safeprint((char *)request->password->vp_strvalue,
120 request->password->length,
121 clean_password, sizeof(clean_password));
126 radlog(L_AUTH, "%s: [%s%s%s] (%s)",
129 mainconfig.log_auth_goodpass ? "/" : "",
130 mainconfig.log_auth_goodpass ? clean_password : "",
131 auth_name(buf, sizeof(buf), request, 1));
133 radlog(L_AUTH, "%s: [%s%s%s] (%s)",
136 mainconfig.log_auth_badpass ? "/" : "",
137 mainconfig.log_auth_badpass ? clean_password : "",
138 auth_name(buf, sizeof(buf), request, 1));
149 * -2 Rejected (Auth-Type = Reject, send Port-Message back)
150 * 1 End check & return, don't reply
152 * NOTE: NOT the same as the RLM_ values !
154 static int rad_check_password(REQUEST *request)
156 VALUE_PAIR *auth_type_pair;
157 VALUE_PAIR *cur_config_item;
158 VALUE_PAIR *password_pair;
159 VALUE_PAIR *auth_item;
160 char string[MAX_STRING_LEN];
163 int auth_type_count = 0;
167 * Look for matching check items. We skip the whole lot
168 * if the authentication type is PW_AUTHTYPE_ACCEPT or
169 * PW_AUTHTYPE_REJECT.
171 cur_config_item = request->config_items;
172 while(((auth_type_pair = pairfind(cur_config_item, PW_AUTH_TYPE))) != NULL) {
173 auth_type = auth_type_pair->lvalue;
176 DEBUG2(" rad_check_password: Found Auth-Type %s",
177 auth_type_pair->vp_strvalue);
178 cur_config_item = auth_type_pair->next;
180 if (auth_type == PW_AUTHTYPE_REJECT) {
181 DEBUG2(" rad_check_password: Auth-Type = Reject, rejecting user");
186 if (( auth_type_count > 1) && (debug_flag)) {
187 radlog(L_ERR, "Warning: Found %d auth-types on request for user '%s'",
188 auth_type_count, request->username->vp_strvalue);
192 * This means we have a proxy reply or an accept
193 * and it wasn't rejected in the above loop. So
194 * that means it is accepted and we do no further
197 if ((auth_type == PW_AUTHTYPE_ACCEPT) || (request->proxy)) {
198 DEBUG2(" rad_check_password: Auth-Type = Accept, accepting the user");
202 password_pair = pairfind(request->config_items, PW_USER_PASSWORD);
204 pairfind(request->config_items, PW_CLEARTEXT_PASSWORD)) {
205 pairdelete(&request->config_items, PW_USER_PASSWORD);
206 password_pair = NULL;
210 DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
211 DEBUG("!!! Replacing User-Password in config items with Cleartext-Password. !!!");
212 DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
213 DEBUG("!!! Please update your configuration so that the \"known good\" !!!");
214 DEBUG("!!! clear text password is in Cleartext-Password, and not in User-Password. !!!");
215 DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
216 password_pair->attribute = PW_CLEARTEXT_PASSWORD;
217 strNcpy(password_pair->name, "Cleatext-Password",
218 sizeof(password_pair->name));
222 * Find the "known good" password.
224 * FIXME: We should get rid of these hacks, and replace
225 * them with a module.
227 if ((password_pair = pairfind(request->config_items, PW_CRYPT_PASSWORD)) != NULL) {
229 * Re-write Auth-Type, but ONLY if it isn't already
232 if (auth_type == -1) auth_type = PW_AUTHTYPE_CRYPT;
234 password_pair = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD);
239 auth_type = PW_AUTHTYPE_LOCAL;
242 * The admin hasn't told us how to
243 * authenticate the user, so we reject them!
247 DEBUG2("auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user");
255 case PW_AUTHTYPE_CRYPT:
257 * Find the password sent by the user. It
258 * SHOULD be there, if it's not
259 * authentication fails.
261 auth_item = request->password;
262 if (auth_item == NULL) {
263 DEBUG2("auth: No User-Password or CHAP-Password attribute in the request");
267 DEBUG2("auth: type Crypt");
268 if (password_pair == NULL) {
269 DEBUG2("No Crypt-Password configured for the user");
270 rad_authlog("Login incorrect "
271 "(No Crypt-Password configured for the user)", request, 0);
275 switch (lrad_crypt_check((char *)auth_item->vp_strvalue,
276 (char *)password_pair->vp_strvalue)) {
278 rad_authlog("Login incorrect "
279 "(system failed to supply an encrypted password for comparison)", request, 0);
284 case PW_AUTHTYPE_LOCAL:
285 DEBUG2("auth: type Local");
288 * Find the password sent by the user. It
289 * SHOULD be there, if it's not
290 * authentication fails.
292 auth_item = request->password;
293 if (auth_item == NULL) {
294 DEBUG2("auth: No User-Password or CHAP-Password attribute in the request");
299 * Plain text password.
301 if (password_pair == NULL) {
302 DEBUG2("auth: No password configured for the user");
303 rad_authlog("Login incorrect "
304 "(No password configured for the user)", request, 0);
309 * Local password is just plain text.
311 if (auth_item->attribute == PW_USER_PASSWORD) {
312 if (strcmp((char *)password_pair->vp_strvalue,
313 (char *)auth_item->vp_strvalue) != 0) {
314 DEBUG2("auth: user supplied User-Password does NOT match local User-Password");
317 DEBUG2("auth: user supplied User-Password matches local User-Password");
320 } else if (auth_item->attribute != PW_CHAP_PASSWORD) {
321 DEBUG2("The user did not supply a User-Password or a CHAP-Password attribute");
322 rad_authlog("Login incorrect "
323 "(no User-Password or CHAP-Password attribute)", request, 0);
327 rad_chap_encode(request->packet, string,
328 auth_item->vp_strvalue[0], password_pair);
333 if (memcmp(string + 1, auth_item->vp_strvalue + 1,
334 CHAP_VALUE_LENGTH) != 0) {
335 DEBUG2("auth: user supplied CHAP-Password does NOT match local User-Password");
338 DEBUG2("auth: user supplied CHAP-Password matches local User-Password");
341 dval = dict_valbyattr(PW_AUTH_TYPE, auth_type);
343 DEBUG2("auth: type \"%s\"", dval->name);
345 DEBUG2("auth: type UNKNOWN-%d", auth_type);
349 * See if there is a module that handles
350 * this type, and turn the RLM_ return
351 * status into the values as defined at
352 * the top of this function.
354 result = module_authenticate(auth_type, request);
357 * An authentication module FAIL
358 * return code, or any return code that
359 * is not expected from authentication,
360 * is the same as an explicit REJECT!
362 case RLM_MODULE_FAIL:
363 case RLM_MODULE_INVALID:
364 case RLM_MODULE_NOOP:
365 case RLM_MODULE_NOTFOUND:
366 case RLM_MODULE_REJECT:
367 case RLM_MODULE_UPDATED:
368 case RLM_MODULE_USERLOCK:
375 case RLM_MODULE_HANDLED:
386 * Post-authentication step processes the response before it is
387 * sent to the NAS. It can receive both Access-Accept and Access-Reject
390 int rad_postauth(REQUEST *request)
393 int postauth_type = 0;
397 * Do post-authentication calls. ignoring the return code.
399 vp = pairfind(request->config_items, PW_POST_AUTH_TYPE);
401 DEBUG2(" Found Post-Auth-Type %s", vp->vp_strvalue);
402 postauth_type = vp->lvalue;
404 result = module_post_auth(postauth_type, request);
407 * The module failed, or said to reject the user: Do so.
409 case RLM_MODULE_FAIL:
410 case RLM_MODULE_INVALID:
411 case RLM_MODULE_REJECT:
412 case RLM_MODULE_USERLOCK:
414 request->reply->code = PW_AUTHENTICATION_REJECT;
415 result = RLM_MODULE_REJECT;
418 * The module handled the request, cancel the reply.
420 case RLM_MODULE_HANDLED:
424 * The module had a number of OK return codes.
426 case RLM_MODULE_NOOP:
427 case RLM_MODULE_NOTFOUND:
429 case RLM_MODULE_UPDATED:
430 result = RLM_MODULE_OK;
437 * Before sending an Access-Reject, call the modules in the
438 * Post-Auth-Type REJECT stanza.
440 static int rad_postauth_reject(REQUEST *request)
446 dval = dict_valbyname(PW_POST_AUTH_TYPE, "REJECT");
448 /* Overwrite the Post-Auth-Type with the value REJECT */
449 pairdelete(&request->config_items, PW_POST_AUTH_TYPE);
450 tmp = paircreate(PW_POST_AUTH_TYPE, PW_TYPE_INTEGER);
451 tmp->lvalue = dval->value;
452 pairadd(&request->config_items, tmp);
453 result = rad_postauth(request);
455 /* No REJECT stanza */
456 result = RLM_MODULE_OK;
462 * Process and reply to an authentication request
464 * The return value of this function isn't actually used right now, so
465 * it's not entirely clear if it is returning the right things. --Pac.
467 int rad_authenticate(REQUEST *request)
469 VALUE_PAIR *namepair;
470 VALUE_PAIR *check_item;
471 VALUE_PAIR *auth_item;
472 VALUE_PAIR *module_msg;
473 VALUE_PAIR *tmp = NULL;
475 char umsg[MAX_STRING_LEN + 1];
476 const char *user_msg = NULL;
477 const char *password;
485 * If this request got proxied to another server, we need
486 * to check whether it authenticated the request or not.
488 if (request->proxy_reply) {
489 switch (request->proxy_reply->code) {
491 * Reply of ACCEPT means accept, thus set Auth-Type
494 case PW_AUTHENTICATION_ACK:
495 tmp = paircreate(PW_AUTH_TYPE, PW_TYPE_INTEGER);
497 radlog(L_ERR|L_CONS, "Not enough memory");
500 tmp->lvalue = PW_AUTHTYPE_ACCEPT;
501 pairadd(&request->config_items, tmp);
504 * Challenges are punted back to the NAS without any
505 * further processing.
507 case PW_ACCESS_CHALLENGE:
508 request->reply->code = PW_ACCESS_CHALLENGE;
509 return RLM_MODULE_OK;
511 * ALL other replies mean reject. (this is fail-safe)
513 * Do NOT do any authorization or authentication. They
514 * are being rejected, so we minimize the amount of work
515 * done by the server, by rejecting them here.
517 case PW_AUTHENTICATION_REJECT:
519 rad_authlog("Login incorrect (Home Server says so)",
521 request->reply->code = PW_AUTHENTICATION_REJECT;
522 rad_postauth_reject(request);
523 return RLM_MODULE_REJECT;
528 * Get the username from the request.
530 * Note that namepair MAY be NULL, in which case there
531 * is no User-Name attribute in the request.
533 namepair = request->username;
536 * Look for, and cache, passwords.
538 if (!request->password) {
539 request->password = pairfind(request->packet->vps,
544 * Discover which password we want to use.
546 auth_item = request->password;
548 password = (const char *)auth_item->vp_strvalue;
552 * Maybe there's a CHAP-Password?
554 if ((auth_item = pairfind(request->packet->vps,
555 PW_CHAP_PASSWORD)) != NULL) {
556 password = "<CHAP-PASSWORD>";
560 * No password we recognize.
562 password = "<NO-PASSWORD>";
565 request->password = auth_item;
568 * Get the user's authorization information from the database
571 result = module_authorize(autz_type, request);
573 case RLM_MODULE_NOOP:
574 case RLM_MODULE_NOTFOUND:
576 case RLM_MODULE_UPDATED:
578 case RLM_MODULE_FAIL:
579 case RLM_MODULE_HANDLED:
581 case RLM_MODULE_INVALID:
582 case RLM_MODULE_REJECT:
583 case RLM_MODULE_USERLOCK:
585 if ((module_msg = pairfind(request->packet->vps,
586 PW_MODULE_FAILURE_MESSAGE)) != NULL) {
587 char msg[MAX_STRING_LEN + 16];
588 snprintf(msg, sizeof(msg), "Invalid user (%s)",
589 module_msg->vp_strvalue);
590 rad_authlog(msg,request,0);
592 rad_authlog("Invalid user", request, 0);
594 request->reply->code = PW_AUTHENTICATION_REJECT;
598 tmp = pairfind(request->config_items, PW_AUTZ_TYPE);
600 DEBUG2(" Found Autz-Type %s", tmp->vp_strvalue);
601 autz_type = tmp->lvalue;
608 * If we haven't already proxied the packet, then check
609 * to see if we should. Maybe one of the authorize
610 * modules has decided that a proxy should be used. If
611 * so, get out of here and send the packet.
613 if ((request->proxy == NULL) &&
614 ((tmp = pairfind(request->config_items, PW_PROXY_TO_REALM)) != NULL)) {
618 * Catch users who set Proxy-To-Realm to a LOCAL
621 realm = realm_find(tmp->vp_strvalue, 0);
622 rad_assert((realm == NULL) || (realm->ipaddr.af == AF_INET));
623 if (realm && (realm->ipaddr.ipaddr.ip4addr.s_addr == htonl(INADDR_NONE))) {
624 DEBUG2(" WARNING: You set Proxy-To-Realm = %s, but it is a LOCAL realm! Cancelling invalid proxy request.", realm->realm);
627 * Don't authenticate, as the request is
630 return RLM_MODULE_OK;
635 * Perhaps there is a Stripped-User-Name now.
637 namepair = request->username;
643 result = rad_check_password(request);
646 return RLM_MODULE_HANDLED;
651 * Failed to validate the user.
653 * We PRESUME that the code which failed will clean up
654 * request->reply->vps, to be ONLY the reply items it
655 * wants to send back.
658 DEBUG2("auth: Failed to validate the user.");
659 request->reply->code = PW_AUTHENTICATION_REJECT;
661 if ((module_msg = pairfind(request->packet->vps,PW_MODULE_FAILURE_MESSAGE)) != NULL){
662 char msg[MAX_STRING_LEN+19];
664 snprintf(msg, sizeof(msg), "Login incorrect (%s)",
665 module_msg->vp_strvalue);
666 rad_authlog(msg, request, 0);
668 rad_authlog("Login incorrect", request, 0);
671 /* double check: maybe the secret is wrong? */
672 if ((debug_flag > 1) && (auth_item != NULL) &&
673 (auth_item->attribute == PW_USER_PASSWORD)) {
676 p = auth_item->vp_strvalue;
678 if (!isprint((int) *p)) {
679 log_debug(" WARNING: Unprintable characters in the password.\n\t Double-check the shared secret on the server and the NAS!");
688 (check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE)) != NULL) {
689 int r, session_type = 0;
691 tmp = pairfind(request->config_items, PW_SESSION_TYPE);
693 DEBUG2(" Found Session-Type %s", tmp->vp_strvalue);
694 session_type = tmp->lvalue;
698 * User authenticated O.K. Now we have to check
699 * for the Simultaneous-Use parameter.
702 (r = module_checksimul(session_type, request, check_item->lvalue)) != 0) {
706 /* Multilink attempt. Check if port-limit > simultaneous-use */
707 VALUE_PAIR *port_limit;
709 if ((port_limit = pairfind(request->reply->vps, PW_PORT_LIMIT)) != NULL &&
710 port_limit->lvalue > check_item->lvalue){
711 DEBUG2("main auth: MPP is OK");
716 if (check_item->lvalue > 1) {
717 snprintf(umsg, sizeof(umsg),
718 "\r\nYou are already logged in %d times - access denied\r\n\n",
719 (int)check_item->lvalue);
722 user_msg = "\r\nYou are already logged in - access denied\r\n\n";
725 request->reply->code = PW_AUTHENTICATION_REJECT;
728 * They're trying to log in too many times.
729 * Remove ALL reply attributes.
731 pairfree(&request->reply->vps);
732 tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
733 request->reply->vps = tmp;
735 snprintf(logstr, sizeof(logstr), "Multiple logins (max %d) %s",
737 r == 2 ? "[MPP attempt]" : "");
738 rad_authlog(logstr, request, 1);
746 * Result should be >= 0 here - if not, it means the user
747 * is rejected, so we just process post-auth and return.
750 rad_postauth_reject(request);
751 return RLM_MODULE_REJECT;
755 * We might need this later. The 'password' string
756 * is NOT used anywhere below here, except for logging,
757 * so it should be safe...
759 if ((auth_item != NULL) && (auth_item->attribute == PW_CHAP_PASSWORD)) {
760 password = "CHAP-Password";
764 * Add the port number to the Framed-IP-Address if
765 * vp->addport is set.
767 if (((tmp = pairfind(request->reply->vps,
768 PW_FRAMED_IP_ADDRESS)) != NULL) &&
769 (tmp->flags.addport != 0)) {
770 VALUE_PAIR *vpPortId;
773 * Find the NAS port ID.
775 if ((vpPortId = pairfind(request->packet->vps,
776 PW_NAS_PORT)) != NULL) {
777 unsigned long tvalue = ntohl(tmp->lvalue);
778 tmp->lvalue = htonl(tvalue + vpPortId->lvalue);
779 tmp->flags.addport = 0;
780 ip_ntoa(tmp->vp_strvalue, tmp->lvalue);
782 DEBUG2("WARNING: No NAS-Port attribute in request. CANNOT return a Framed-IP-Address + NAS-Port.\n");
783 pairdelete(&request->reply->vps, PW_FRAMED_IP_ADDRESS);
788 * Set the reply to Access-Accept, if it hasn't already
789 * been set to something. (i.e. Access-Challenge)
791 if (request->reply->code == 0)
792 request->reply->code = PW_AUTHENTICATION_ACK;
794 if ((module_msg = pairfind(request->packet->vps,PW_MODULE_SUCCESS_MESSAGE)) != NULL){
795 char msg[MAX_STRING_LEN+12];
797 snprintf(msg, sizeof(msg), "Login OK (%s)",
798 module_msg->vp_strvalue);
799 rad_authlog(msg, request, 1);
801 rad_authlog("Login OK", request, 1);
805 * Run the modules in the 'post-auth' section.
807 result = rad_postauth(request);