diff options
| author | Alan T. DeKok <aland@freeradius.org> | 2024-06-12 13:29:36 -0400 |
|---|---|---|
| committer | Robert Gingras <rgingras@mieweb.com> | 2025-03-31 11:39:54 -0400 |
| commit | dde67d80623bdca4da8e76467b90754e34835ae3 (patch) | |
| tree | 06a8d6335fca0d8322717efd5215b04ae329eb7d | |
| parent | 84184844ec80c840a3499bb3fedd74ea9acf4dd2 (diff) | |
| download | libpam-radius-auth-dde67d80623bdca4da8e76467b90754e34835ae3.tar.gz libpam-radius-auth-dde67d80623bdca4da8e76467b90754e34835ae3.zip | |
add and document "require_message_authenticator" flag
| -rw-r--r-- | USAGE | 8 | ||||
| -rw-r--r-- | src/pam_radius_auth.c | 11 | ||||
| -rw-r--r-- | src/pam_radius_auth.h | 1 |
3 files changed, 18 insertions, 2 deletions
@@ -104,5 +104,13 @@ max_challenge=# - configure maximum number of challenges that a server may request. This is a workaround for broken servers and disabled by default. +prompt_attribute - Enable honoring of Prompt attribute sent from server for + challenge-response to enable/disable of echoing of user + input. Without this option all user input during + challenge-response will be echoed. See RFC2869 Section 5.10 + +require_message_authenticator - Discard Access-Accept, Access-Challenge, and + Access-Reject packets which do not contain Message-Authenticator. + --------------------------------------------------------------------------- diff --git a/src/pam_radius_auth.c b/src/pam_radius_auth.c index aa3a650..560b141 100644 --- a/src/pam_radius_auth.c +++ b/src/pam_radius_auth.c @@ -131,6 +131,9 @@ static int _pam_parse(pam_handle_t * pamh, int argc, CONST char **argv, } else if (!strncmp(*argv, "max_challenge=", 14)) { conf->max_challenge = atoi(*argv + 14); + } else if (!strcmp(*argv, "require_message_authenticator")) { + conf->require_message_authenticator = TRUE; + } else { _pam_log(pamh, LOG_WARNING, "unrecognized option '%s'", *argv); @@ -379,7 +382,7 @@ static void get_accounting_vector(AUTH_HDR * request, radius_server_t * server) /* * Verify the response from the server */ -static int verify_packet(radius_server_t *server, AUTH_HDR *response, AUTH_HDR *request) +static int verify_packet(radius_server_t *server, AUTH_HDR *response, AUTH_HDR *request, radius_conf_t *conf) { MD5_CTX my_md5; uint8_t calculated[AUTH_VECTOR_LEN]; @@ -414,6 +417,10 @@ static int verify_packet(radius_server_t *server, AUTH_HDR *response, AUTH_HDR * attr += attr[1]; } + if ((request->code == PW_AUTHENTICATION_REQUEST) && conf->require_message_authenticator && !message_authenticator) { + return FALSE; + } + /* * We could dispense with the memcpy, and do MD5's of the packet * + vector piece by piece. This is easier understand, and maybe faster. @@ -1248,7 +1255,7 @@ static int talk_radius(radius_conf_t * conf, AUTH_HDR * request, } if (!verify_packet - (server, response, request)) { + (server, response, request, conf)) { _pam_log(pamh, LOG_ERR, "response from server" " %s failed" diff --git a/src/pam_radius_auth.h b/src/pam_radius_auth.h index da7177b..5f056c5 100644 --- a/src/pam_radius_auth.h +++ b/src/pam_radius_auth.h @@ -158,6 +158,7 @@ typedef struct radius_conf_t { char privusrmap[64]; int prompt_attribute; int privilege_level; + int require_message_authenticator; uint8_t *message_authenticator; } radius_conf_t; |