Date: Wed, 06 Jul 2005 08:52:59 -0700 From: Paul Querna <pquerna@apache.org> To: Brian Candler <B.Candler@pobox.com> Cc: freebsd-current@freebsd.org Subject: Re: [PATCH] libradius: Always Include Authenticator Message-ID: <42CBFE5B.6000401@apache.org> In-Reply-To: <20050706100829.GA83543@uk.tiscali.com> References: <42CAE06A.6000003@apache.org> <20050706100829.GA83543@uk.tiscali.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Brian Candler wrote: > On Tue, Jul 05, 2005 at 12:32:58PM -0700, Paul Querna wrote: > >>The attached patch will always include the Authenticator Field, in all >>RADIUS packets, not just accounting packets. This is a SHOULD violation >>from the RFC. > > > I don't understand this. If you're talking about RFC 2865, which bit exactly > are you referring to? > Sorry, this is my misunderstanding of the RFC. I thought that an authenticator should of been generated with the same method for both access requests and account requests. > As far as I can see, the function insert_request_authenticator() generates > the authenticator by hashing all the attributes within the request plus the > shared secret. This is the correct behaviour for accounting requests (only). > Your patch wrongly applies this to Access-Request as well. > > In Access-Request packets, the Request Authenticator should be a *random* > number (RFC2865 section 3, page 15), and this is already done by > rad_create_request() > > So, can you describe more precisely how and why you think the current > behaviour is wrong? The behavior I am seeing is that this random number is _always_ the same. >>I found this problem fixing a bug for my mod_auth_xradius[1]. It >>appears that some commercial RADIUS authentication servers will reject >>packets with identical Authenticator fields as duplicates. > > > But these RADIUS servers, even if they detect a duplicate, are required to > send the same response as they did to the original request. > > Is the packet actually a duplicate, or is it a different authentication > request? If it's different, then it should have a different random > authenticator. Are you saying that the random number generator is giving the > same answer each time? If so then it's a seeding problem. I see that > srandomdev() is called in rad_auth_open though. Different authentication requests. All have the same authenticator. Looking closely, it appears the root cause was a problem when I ported the code to Linux. Linux doesn't have a srandomdev() :) Sorry for the noise, I made a mistake. -Paul
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42CBFE5B.6000401>