Re: (ASCEND) Ascend's Radiusd

["Dave Joyce" <Dave.Joyce@rtc1.com>]

I agree with Stephen regarding the zapping of the space or tab information.
The code actually reads the input and ignores everything after the space so
if the login is

"testuser anotherword"

only "testuser" is used to validate the user. This is ok except that the
detail record shows that the login was actually

"testuseranotherword"

Commenting out this code is not the way to go. But find the code that writes
to the detail file and add the same code that users.c uses to write out the
User-Name portion of the detail record.

On my system it shows up when people have used there first name as their
account ID and then type in their full name with space to logon. "john
brown" becomes "john" to validate and shows up as "johnbrown" in the detail
record under User-Name.

I have noticed this as a problem with names that contain "-" (dashes) as
well they seem to b removed when placed in the detail record so a name like

"a-big-blue-bus" gets recorded as "abigbluebus".

These problems really only affect the ISP doing accounting based on usage.
It make it hard to keep track of john vs johnbrown for times. And could I
suppose be misused if understood by our customers if one user got a name
that started like someone else. To take the above example john could be a
valid username and so could johnbrown, but john could hide all of his
activity by logging in as "john brown".

This is not currently a problem on my system but I suppose world wide
someone could be getting away with it.

Has this been addressed in later versions, are there later versions or how
do we fix it ourselves. Ascend (Lucent) has always stated that it is free
and therefore unsupported.

Dave Joyce
Internet Manager
RTC on Line
219-223-0228
FAX 219-223-4898

----- Original Message -----
From: Stephen Mulrine <skm@foremost.co.uk>
To: <ascend-users@bungi.com>
Sent: Monday, August 09, 1999 4:51 AM
Subject: Re: (ASCEND) Ascend's Radiusd


> Sascha Pollok wrote:
> >Dear folks,
> >we are currently using the following radiusd for authentication
> >with a normal /etc/raddb/users file:
> >./radiusd: RADIUS version 1.16 (plus Ascend extensions) 1998/18/06
> > NOSHADOW BINARY_FILTERS ASCEND_SECRET ASCEND_LOGOUT sys5
> >What I experienced is that in case we have a "testuser" in the
> >users-file, the radiusd also accepts a "testuser anotherword" for
> >this user. All following chars after the space seem to be
> >ignored.
>
> I've just had a quick look at the source code and the problem appears to
> be in the user_find procedure in ascendd/users.c.  The code explicitly
> zaps a space or tab (and any character thereafter) before it looks up a
> name in the user database.  This is because space (and presumably tab)
> are used as separators in this database - at least on the line which
> specifies the username.  The source code lines in question are from 278
> to 287, between
>     mode = FIND_MODE_NAME;
> and
>     namelen=strlen(name);
>
> If you remove or comment out these lines (excluding the ones shown),
> which I haven't done myself, I can't guarantee that there wouldn't be
> undesired consequences when the daemon subsequently tries to verify a
> name containing spaces.  It might be okay if your database is in DBM
> format, however.  (Valid usernames still wouldn't be able to contain
> spaces unless further changes were made to the builddbm application, in
> particular usr_read.c.)
>
> s.
> ++ Ascend Users Mailing List ++
> To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
> To get FAQ'd: <http://www.nealis.net/ascend/faq>


++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>