[PATCH] libradius: Always Include Authenticator
Paul Querna
pquerna at apache.org
Wed Jul 6 15:53:00 GMT 2005
Brian Candler wrote:
> On Tue, Jul 05, 2005 at 12:32:58PM -0700, Paul Querna wrote:
>
>>The attached patch will always include the Authenticator Field, in all
>>RADIUS packets, not just accounting packets. This is a SHOULD violation
>>from the RFC.
>
>
> I don't understand this. If you're talking about RFC 2865, which bit exactly
> are you referring to?
>
Sorry, this is my misunderstanding of the RFC. I thought that an
authenticator should of been generated with the same method for both
access requests and account requests.
> As far as I can see, the function insert_request_authenticator() generates
> the authenticator by hashing all the attributes within the request plus the
> shared secret. This is the correct behaviour for accounting requests (only).
> Your patch wrongly applies this to Access-Request as well.
>
> In Access-Request packets, the Request Authenticator should be a *random*
> number (RFC2865 section 3, page 15), and this is already done by
> rad_create_request()
>
> So, can you describe more precisely how and why you think the current
> behaviour is wrong?
The behavior I am seeing is that this random number is _always_ the same.
>>I found this problem fixing a bug for my mod_auth_xradius[1]. It
>>appears that some commercial RADIUS authentication servers will reject
>>packets with identical Authenticator fields as duplicates.
>
>
> But these RADIUS servers, even if they detect a duplicate, are required to
> send the same response as they did to the original request.
>
> Is the packet actually a duplicate, or is it a different authentication
> request? If it's different, then it should have a different random
> authenticator. Are you saying that the random number generator is giving the
> same answer each time? If so then it's a seeding problem. I see that
> srandomdev() is called in rad_auth_open though.
Different authentication requests. All have the same authenticator.
Looking closely, it appears the root cause was a problem when I ported
the code to Linux. Linux doesn't have a srandomdev() :)
Sorry for the noise, I made a mistake.
-Paul
More information about the freebsd-current
mailing list