авторизация с пустым паролем

Ответить
fantom
Сообщения: 2
Зарегистрирован: Пт ноя 19, 2010 4:03 pm

авторизация с пустым паролем

Сообщение fantom »

Добрый вечер. Заметил такой прикол в работе, что проходит авторизация, если не указывать пароль.
Вот конфиги мои:
файл конфига радиуссервера:
authorize {
preprocess
abills_preauth
mschap
chap
files
abills_auth
}

на насе конфиг такой:
debug
mtu 1472
mru 1472
auth
require-pap
default-asyncmap
ktune
lcp-echo-interval 5
lcp-echo-failure 2
plugin /etc/ppp/plugins/rp-pppoe.so
plugin /usr/lib/pppd/2.4.5/radius.so
plugin /usr/lib/pppd/2.4.5/radattr.so
nobsdcomp
noccp
noendpoint
noipdefault
noipx
novj
receive-all

По логам, при коннекте с паролем пишет вот что:
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 39396, id=124, length=90
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "vpntest"
User-Password = "23ytbcghfdyjcnm1"
Calling-Station-Id = "00:13:D4:ED:B0:DB"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 1060
+- entering group authorize {...}
++[preprocess] returns ok
Exec-Program output: Auth-Type := Accept
Exec-Program-Wait: value-pairs: Auth-Type := Accept
Exec-Program: returned: 0
++[abills_preauth] returns ok
++[mschap] returns noop
[files] users: Matched entry DEFAULT at line 173
++[files] returns ok
Exec-Program output: Acct-Interim-Interval = 180, Session-Timeout = 989322, PPPD-Upstream-Speed-Limit = 50000, Octets-Direction = 0, Framed-IP-Address = 10.250.105.241, Session-Octets-Limit = 0, Framed-IP-Netmask = 255.255.255.255, PPPD-Downstream-Speed-Limit = 50000,
Exec-Program-Wait: value-pairs: Acct-Interim-Interval = 180, Session-Timeout = 989322, PPPD-Upstream-Speed-Limit = 50000, Octets-Direction = 0, Framed-IP-Address = 10.250.105.241, Session-Octets-Limit = 0, Framed-IP-Netmask = 255.255.255.255, PPPD-Downstream-Speed-Limit = 50000,
Exec-Program: returned: 0
++[abills_auth] returns ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [vpntest/23ytbcghfdyjcnm1] (from client nas11 port 1060 cli 00:13:D4:ED:B0:DB)
WARNING: Empty section. Using default return values.
Sending Access-Accept of id 124 to xxx.xxx.xxx.xxx port 39396
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Acct-Interim-Interval = 180
Session-Timeout = 989322
PPPD-Upstream-Speed-Limit = 50000
Octets-Direction = Route-IP-No
Framed-IP-Address = 10.250.105.241
Session-Octets-Limit = 0
Framed-IP-Netmask = 255.255.255.255
PPPD-Downstream-Speed-Limit = 50000

При неправильном пароле
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 41201, id=41, length=90
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "vpntest"
User-Password = "****************"
Calling-Station-Id = "00:13:D4:ED:B0:DB"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 158
+- entering group authorize {...}
++[preprocess] returns ok
Exec-Program output: Auth-Type := Accept
Exec-Program-Wait: value-pairs: Auth-Type := Accept
Exec-Program: returned: 0
++[abills_preauth] returns ok
++[mschap] returns noop
[files] users: Matched entry DEFAULT at line 173
++[files] returns ok
Exec-Program output: Reply-Message = "Wrong password '****************'"
Exec-Program-Wait: value-pairs: Reply-Message = "Wrong password '****************'"
Exec-Program: returned: 1
++[abills_auth] returns reject
Invalid user: [vpntest/****************] (from client nas11 port 158 cli 00:13:D4:ED:B0:DB)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
Exec-Program output:
Exec-Program: returned: 0

Без пароля:
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 45611, id=45, length=74
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "vpntest"
Calling-Station-Id = "00:13:D4:ED:B0:DB"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 1070
+- entering group authorize {...}
++[preprocess] returns ok
Exec-Program output: Auth-Type := Accept
Exec-Program-Wait: value-pairs: Auth-Type := Accept
Exec-Program: returned: 0
++[abills_preauth] returns ok
++[mschap] returns noop
[files] users: Matched entry DEFAULT at line 173
++[files] returns ok
Exec-Program output: Acct-Interim-Interval = 180, Session-Timeout = 989248, PPPD-Upstream-Speed-Limit = 50000, Octets-Direction = 0, Framed-IP-Address = 10.250.105.204, Session-Octets-Limit = 0, Framed-IP-Netmask = 255.255.255.255, PPPD-Downstream-Speed-Limit = 50000,
Exec-Program-Wait: value-pairs: Acct-Interim-Interval = 180, Session-Timeout = 989248, PPPD-Upstream-Speed-Limit = 50000, Octets-Direction = 0, Framed-IP-Address = 10.250.105.204, Session-Octets-Limit = 0, Framed-IP-Netmask = 255.255.255.255, PPPD-Downstream-Speed-Limit = 50000,
Exec-Program: returned: 0
++[abills_auth] returns ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [vpntest/<via Auth-Type = Accept>] (from client nas11 port 1070 cli 00:13:D4:ED:B0:DB)
WARNING: Empty section. Using default return values.
Sending Access-Accept of id 45 to xxx.xxx.xxx.xxx port 45611
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Acct-Interim-Interval = 180
Session-Timeout = 989248
PPPD-Upstream-Speed-Limit = 50000
Octets-Direction = Route-IP-No
Framed-IP-Address = 10.250.105.204
PPPD-Downstream-Speed-Limit = 50000

Версия биллинга:
ABillS 0.51b (GT: 0.447381)

Насколько понял с логов, то rauth.pl пропускает с пустым паролем при PAP
Как можно побороть данный трабл?

~AsmodeuS~
Site Admin
Сообщения: 5749
Зарегистрирован: Пт янв 28, 2005 3:11 pm
Контактная информация:

Re: авторизация с пустым паролем

Сообщение ~AsmodeuS~ »

не придумыйвайте сказки, заведите все в radtest.sh и проверте

fantom
Сообщения: 2
Зарегистрирован: Пт ноя 19, 2010 4:03 pm

Re: авторизация с пустым паролем

Сообщение fantom »

если забить в radtest.sh, то тут все норм. пустой пароль не праходит. А если реально коннектится к серверу, то проходил пустой пароль.
Сейчас на насе включил require chap и mcshap, и отключил pap, то пустой пасс не проходит.
А если включить PAP, то проходит

Ответить