Fixed: pam_radius skip_passwd #61
Conversation
At our site we only allow: * OTP * pubkey, OTP So no password ask at all. We have the following pam_radius setup * `auth sufficient pam_radius_auth.so skip_passwd retry=1` This fails at our site because we have `pam_radius` version 1.4.0. This is a known problem fixed in 2021: * FreeRADIUS/pam_radius#27 A lot of distributions do not have this fix. So I also solved it in the perl module. `skip_passwd` must sent a `NULL` but instead sent garbled input: ``` Mon Oct 24 13:58:56 2022 : rlm_perl: RAD_REQUEST: User-Password = ??Џ?H??;??;2@?? ``` This is detected and fixed with this patch
|
Is there something wrong with this patch? |
|
Why don't you use the OTP as a password and simply "skip" This PR does not work, since it will fail for all other encodings except "ascii". I.e. it will not work with passwords with special chars (which will also be sent via RADIUS to our perl module!) |
|
I assumes that totp/hotp tokens where ascii. we can delete with Is much more friendly and the user know what to do As said with newer pam _radius versions no problem and maybe we must make an option for this which encodings we support. But a lot of distros have still the old one |
|
Same here would be nice to have a response or update. It is a fix for disto's still shipping old |
|
would be nice to have some feedback ;-). I will keep my updated version |
At our site we only allow:
So no password ask at all. We have the following pam_radius setup
auth sufficient pam_radius_auth.so skip_passwd retry=1This fails at our site because we have
pam_radiusversion 1.4.0. This is a known problem fixed in 2021:A lot of distributions do not have this fix. So I also solved it in the perl module.
skip_passwdmust sent aNULLbut instead sent garbled input:This is detected and fixed with this patch