From: Nick Porter Date: Mon, 17 Jul 2023 10:08:13 +0000 (+0100) Subject: Update password attribute references to use Password.xxx format X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=245648845870e1402ac32a8a489b11c44937b97a;p=thirdparty%2Ffreeradius-server.git Update password attribute references to use Password.xxx format --- diff --git a/doc/antora/modules/concepts/pages/aaa.adoc b/doc/antora/modules/concepts/pages/aaa.adoc index 096318921a1..defa64fde5f 100644 --- a/doc/antora/modules/concepts/pages/aaa.adoc +++ b/doc/antora/modules/concepts/pages/aaa.adoc @@ -76,7 +76,7 @@ user, for example valid user’s password or it’s hash, login restrictions, etc. A quite common mistake is to place the attributes in the wrong lists, -for example placing `Auth-Type`, `Password`, `NT-Password` etc in the check +for example placing `Auth-Type`, `Password`, `Password.NT` etc in the check list, or in the reply list. When run in debugging mode, the server will normally issue `WARNING` messages saying that the attributes are in the wrong list. @@ -88,7 +88,7 @@ example `MS-CHAP`), then the authorization will fail, because the Password in the request items will not match the password in the check attributes. You should place Password attribute obtained from database into configure items and also place Auth-Type attribute with value of -`MS-CHAP` into same list. The same goes for `NT-Password` (before calling -`MS-CHAP` Password attribute should be converted to `NT-Password`, it may be +`MS-CHAP` into same list. The same goes for `Password.NT` (before calling +`MS-CHAP` Password attribute should be converted to `Password.NT`, it may be achieved by calling mschap module in authorization section after module which does actual authorization). diff --git a/doc/antora/modules/howto/pages/modules/mschap/index.adoc b/doc/antora/modules/howto/pages/modules/mschap/index.adoc index 82ec9f10a7c..fbd111442c7 100644 --- a/doc/antora/modules/howto/pages/modules/mschap/index.adoc +++ b/doc/antora/modules/howto/pages/modules/mschap/index.adoc @@ -10,7 +10,7 @@ If you want to support mschap, there are only 3 possibilities: FreeRADIUS to read this, and set the `Password.Cleartext` control attribute. . You have access to the NT (MS-CHAPv2) or LM (MS-CHAPv1) hashes, and -you configure FreeRADIUS to read this and set the NT/LM-Password control +you configure FreeRADIUS to read this and set the Password.NT/LM control attribute. . You have Samba installed, joined into a windows domain, and use the ntlm_auth helper binary to pass authentication onwards to a domain @@ -102,7 +102,7 @@ method. === Local -If you are performing mschap locally with `Password.Cleartext/NT-Password`, +If you are performing mschap locally with `Password.Cleartext/Password.NT`, you can decrypt and process the password change locally. To do this, you configure the `local_cpw` string: @@ -146,7 +146,7 @@ text LANGUAGE plpgsql AS ``` \[ BEGIN - update radcheck set value=ntpassword where username=raduser and attribute='NT-Password'; + update radcheck set value=ntpassword where username=raduser and attribute='Password.NT'; if not FOUND then -- the user does not exist; die return ''; @@ -159,7 +159,7 @@ text LANGUAGE plpgsql AS The local_cpw xlat has access to two variables: -* MS-CHAP-New-NT-Password - the new value of NT-Password +* MS-CHAP-New-NT-Password - the new value of Password.NT * MS-CHAP-New-Cleartext-PAssword - the new value of Password.Cleartext This allows you to do things like:: @@ -168,7 +168,7 @@ This allows you to do things like:: ``` SQL local_cpw = %{sql:update radcheck set value='%{MS-CHAP-New-NT-Password}' where username=%{User-Name} and -attribute=’NT-Password'} +attribute=’Password.NT'} ``` Or: diff --git a/doc/antora/modules/howto/pages/modules/passwd/index.adoc b/doc/antora/modules/howto/pages/modules/passwd/index.adoc index 7ec58666a9d..42affcc7d01 100644 --- a/doc/antora/modules/howto/pages/modules/passwd/index.adoc +++ b/doc/antora/modules/howto/pages/modules/passwd/index.adoc @@ -6,13 +6,13 @@ Passwd-like files authorization module. Q: Can I use rlm_passwd to authenticate user against Linux shadow password file or BSD-style master.passwd? A: Yes, but you need RADIUS -running as root. Hint: use Crypt-Password attribute. You probably don’t +running as root. Hint: use Password.Crypt attribute. You probably don’t want to use this module with FreeBSD to authenticate against system file, as it already takes care of caching passwd file entries, but it -may be helpfull to authenticate against alternate file. +may be helpful to authenticate against alternate file. Q: Can I use rlm_passwd to authenticate user against SAMBA smbpasswd? A: -Yes, you can. Hint: use LM-Password/NT-Password attribute, set authtype +Yes, you can. Hint: use Password.LM/Password.NT attribute, set authtype = MS-CHAP. Q: Can I use rlm_password to authenticate user against diff --git a/doc/antora/modules/raddb/pages/mods-available/all_modules.adoc b/doc/antora/modules/raddb/pages/mods-available/all_modules.adoc index ec553f5b18e..470191419ff 100644 --- a/doc/antora/modules/raddb/pages/mods-available/all_modules.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/all_modules.adoc @@ -58,7 +58,7 @@ allocation, and implements pre-allocation for use with DHCPv4. who has current sessions. | xref:mods-available/sql.adoc[sql] | Provides an abstraction over multiple SQL backends, via database specific drivers. | xref:mods-available/sqlippool.adoc[sqlippool] | SQL based IP allocation module. -| xref:mods-available/unix.adoc[unix] | Retrieves a user's encrypted password from the local system and places it into the ``control.Crypt-Password`` attribute. +| xref:mods-available/unix.adoc[unix] | Retrieves a user's encrypted password from the local system and places it into the ``control.Password.Crypt`` attribute. The password is retrieved via the ``getpwent()`` and ``getspwent()`` system calls. |===== @@ -114,7 +114,7 @@ including syslog, flat files, and raw UDP/TCP sockets. | xref:mods-available/smbpasswd.adoc[smbpasswd] | SMBPasswd | xref:mods-available/sradutmp.adoc[sradutmp] | sRadutmp | xref:mods-available/stats.adoc[stats] | Stats -| xref:mods-available/totp.adoc[totp] | +| xref:mods-available/totp.adoc[totp] | |===== == Policy Modules diff --git a/doc/antora/modules/raddb/pages/mods-available/ldap.adoc b/doc/antora/modules/raddb/pages/mods-available/ldap.adoc index ac8226390d9..753f7c2f584 100644 --- a/doc/antora/modules/raddb/pages/mods-available/ldap.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/ldap.adoc @@ -756,7 +756,7 @@ ldap { # valuepair_attribute = 'radiusAttribute' update { &control.Password.With-Header += 'userPassword' -# &control.NT-Password := 'ntPassword' +# &control.Password.NT := 'ntPassword' # &reply.Reply-Message := 'radiusReplyMessage' # &reply.Tunnel-Type := 'radiusTunnelType' # &reply.Tunnel-Medium-Type := 'radiusTunnelMediumType' diff --git a/doc/antora/modules/raddb/pages/mods-available/mschap.adoc b/doc/antora/modules/raddb/pages/mods-available/mschap.adoc index fbf8f356a5c..201478c9553 100644 --- a/doc/antora/modules/raddb/pages/mods-available/mschap.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/mschap.adoc @@ -356,7 +356,7 @@ mschap { # ntlm_auth_username = "username: %(mschap:User-Name)" # ntlm_auth_domain = "nt-domain: %(mschap:NT-Domain)" # local_cpw = "%(exec:/path/to/script %(mschap:User-Name) %{MS-CHAP-New-Password.Cleartext})" -# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{User-Name}' and attribute='NT-Password'}" +# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{User-Name}' and attribute='Password.NT'}" } # use_open_directory = yes # allow_retry = yes diff --git a/doc/antora/modules/raddb/pages/mods-available/pap.adoc b/doc/antora/modules/raddb/pages/mods-available/pap.adoc index 45fc3405c68..2909e96d896 100644 --- a/doc/antora/modules/raddb/pages/mods-available/pap.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/pap.adoc @@ -21,34 +21,34 @@ immediately by the password data. The header is given by the following table. | Header | Attribute | Description | {clear} | Password.Cleartext | Clear-text passwords. | {cleartext} | Password.Cleartext | Clear-text passwords. -| {crypt} | Crypt-Password | Unix-style "crypt"ed passwords. -| {md5} | MD5-Password | MD5 hashed passwords. -| {base64_md5} | MD5-Password | MD5 hashed passwords. -| {smd5} | SMD5-Password | MD5 hashed passwords, with a salt. -| {sha} | SHA-Password | SHA1 hashed passwords. -| | SHA1-Password | SHA1 hashed passwords. -| {ssha} | SSHA-Password | SHA1 hashed passwords, with a salt. -| {sha2} | SHA2-Password | SHA2 hashed passwords. -| {sha224} | SHA2-Password | SHA2 hashed passwords. -| {sha256} | SHA2-Password | SHA2 hashed passwords. -| {sha384} | SHA2-Password | SHA2 hashed passwords. -| {sha512} | SHA2-Password | SHA2 hashed passwords. -| {ssha224} | SSHA2-224-Password | SHA2 hashed passwords, with a salt. -| {ssha256} | SSHA2-256-Password | SHA2 hashed passwords, with a salt. -| {ssha384} | SSHA2-384-Password | SHA2 hashed passwords, with a salt. -| {ssha512} | SSHA2-512-Password | SHA2 hashed passwords, with a salt. -| {ssha3} | SHA3-Password | SHA3 hashed passwords. -| {ssha3-224} | SHA3-224-Password | SHA3 hashed passwords, with a salt. -| {ssha3-256} | SHA3-256-Password | SHA3 hashed passwords, with a salt. -| {ssha3-384} | SHA3-384-Password | SHA3 hashed passwords, with a salt. -| {ssha3-512} | SHA3-512-Password | SHA3 hashed passwords, with a salt. -| {nt} | NT-Password | Windows NT hashed passwords. -| {nthash} | NT-Password | Windows NT hashed passwords. -| {md4} | NT-Password | Windows NT hashed passwords. -| {x-nthash} | NT-Password | Windows NT hashed passwords. -| {ns-mta-md5} | NS-MTA-MD5-Password | Netscape MTA MD5 hashed passwords. -| {x- orcllmv} | LM-Password | Windows LANMAN hashed passwords. -| {X- orclntv} | NT-Password | Windows NT hashed passwords. +| {crypt} | Password.Crypt | Unix-style "crypt"ed passwords. +| {md5} | Password.MD5 | MD5 hashed passwords. +| {base64_md5} | Password.MD5 | MD5 hashed passwords. +| {smd5} | Password.SMD5 | MD5 hashed passwords, with a salt. +| {sha} | Password.SHA | SHA1 hashed passwords. +| | Password.SHA1 | SHA1 hashed passwords. +| {ssha} | Password.SSHA | SHA1 hashed passwords, with a salt. +| {sha2} | Password.SHA2 | SHA2 hashed passwords. +| {sha224} | Password.SHA2 | SHA2 hashed passwords. +| {sha256} | Password.SHA2 | SHA2 hashed passwords. +| {sha384} | Password.SHA2 | SHA2 hashed passwords. +| {sha512} | Password.SHA2 | SHA2 hashed passwords. +| {ssha224} | Password.SSHA2-224 | SHA2 hashed passwords, with a salt. +| {ssha256} | Password.SSHA2-256 | SHA2 hashed passwords, with a salt. +| {ssha384} | Password.SSHA2-384 | SHA2 hashed passwords, with a salt. +| {ssha512} | Password.SSHA2-512 | SHA2 hashed passwords, with a salt. +| {ssha3} | Password.SHA3 | SHA3 hashed passwords. +| {ssha3-224} | Password.SHA3-224 | SHA3 hashed passwords, with a salt. +| {ssha3-256} | Password.SHA3-256 | SHA3 hashed passwords, with a salt. +| {ssha3-384} | Password.SHA3-384 | SHA3 hashed passwords, with a salt. +| {ssha3-512} | Password.SHA3-512 | SHA3 hashed passwords, with a salt. +| {nt} | Password.NT | Windows NT hashed passwords. +| {nthash} | Password.NT | Windows NT hashed passwords. +| {md4} | Password.NT | Windows NT hashed passwords. +| {x-nthash} | Password.NT | Windows NT hashed passwords. +| {ns-mta-md5} | Password.NS-MTA-MD5 | Netscape MTA MD5 hashed passwords. +| {x- orcllmv} | Password.LM | Windows LANMAN hashed passwords. +| {X- orclntv} | Password.NT | Windows NT hashed passwords. |=== The module tries to be flexible when handling the various password for mats. @@ -56,7 +56,7 @@ It will automatically handle Base-64 encoded data, hex strings, and binary data, and convert them to a format that the server can use. If there is no `Password.With-Header` attribute, the module looks for one -of the `Password.Cleartext`, `NT-Password`, `Crypt-Password`, etc. attributes +of the `Password.Cleartext`, `Password.NT`, `Password.Crypt`, etc. attributes as listed in the above table. These attributes should contain the relevant format password directly, without the header prefix. diff --git a/doc/antora/modules/raddb/pages/mods-available/smbpasswd.adoc b/doc/antora/modules/raddb/pages/mods-available/smbpasswd.adoc index f2b249e1b68..7fe261d3a60 100644 --- a/doc/antora/modules/raddb/pages/mods-available/smbpasswd.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/smbpasswd.adoc @@ -19,7 +19,7 @@ for this module. ``` passwd smbpasswd { filename = /etc/smbpasswd - format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" + format = "*User-Name::Password.LM:Password.NT:SMB-Account-CTRL-TEXT::" hash_size = 100 ignore_nislike = no allow_multiple_keys = no diff --git a/doc/antora/modules/raddb/pages/sites-available/default.adoc b/doc/antora/modules/raddb/pages/sites-available/default.adoc index 5f5b423be88..901c2e00901 100644 --- a/doc/antora/modules/raddb/pages/sites-available/default.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/default.adoc @@ -726,7 +726,7 @@ been set. The `pap` module is also responsible for "normalizing" the various kinds of "known good" passwords. -e.g. `NT-Password` may come as a 16 byte blob, or as a +e.g. `Password.NT` may come as a 16 byte blob, or as a 32-byte hex string, or as a base-64 encoded string. The `pap` module will look for common variations of password encoding, and convert them all to a normal form. @@ -800,7 +800,7 @@ Password.Cleartext attribute. Encrypted passwords won't work. For users who are using MS-CHAP authentication. A back-end database listed in the "recv Access-Request" section MUST supply -either a Password.Cleartext attribute, or an NT-Password +either a Password.Cleartext attribute, or a Password.NT attribute. Encrypted passwords won't work. diff --git a/raddb/mods-available/ldap b/raddb/mods-available/ldap index da83190cff3..ec27893021c 100644 --- a/raddb/mods-available/ldap +++ b/raddb/mods-available/ldap @@ -186,7 +186,7 @@ ldap { # update { &control.Password.With-Header += 'userPassword' -# &control.NT-Password := 'ntPassword' +# &control.Password.NT := 'ntPassword' # &reply.Reply-Message := 'radiusReplyMessage' # &reply.Tunnel-Type := 'radiusTunnelType' # &reply.Tunnel-Medium-Type := 'radiusTunnelMediumType' diff --git a/raddb/mods-available/mschap b/raddb/mods-available/mschap index 99febfb9743..6b305bd41a8 100644 --- a/raddb/mods-available/mschap +++ b/raddb/mods-available/mschap @@ -336,7 +336,7 @@ mschap { # TIP: We give both examples here, but *only one should be used*. # # local_cpw = "%(exec:/path/to/script %(mschap:User-Name) %{MS-CHAP-New-Password.Cleartext})" -# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{User-Name}' and attribute='NT-Password'}" +# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{User-Name}' and attribute='Password.NT'}" } # diff --git a/raddb/mods-available/pap b/raddb/mods-available/pap index f790335ee1f..ddb0585a39d 100644 --- a/raddb/mods-available/pap +++ b/raddb/mods-available/pap @@ -24,34 +24,34 @@ # | Header | Attribute | Description # | {clear} | Password.Cleartext | Clear-text passwords. # | {cleartext} | Password.Cleartext | Clear-text passwords. -# | {crypt} | Crypt-Password | Unix-style "crypt"ed passwords. -# | {md5} | MD5-Password | MD5 hashed passwords. -# | {base64_md5} | MD5-Password | MD5 hashed passwords. -# | {smd5} | SMD5-Password | MD5 hashed passwords, with a salt. -# | {sha} | SHA-Password | SHA1 hashed passwords. -# | | SHA1-Password | SHA1 hashed passwords. -# | {ssha} | SSHA-Password | SHA1 hashed passwords, with a salt. -# | {sha2} | SHA2-Password | SHA2 hashed passwords. -# | {sha224} | SHA2-Password | SHA2 hashed passwords. -# | {sha256} | SHA2-Password | SHA2 hashed passwords. -# | {sha384} | SHA2-Password | SHA2 hashed passwords. -# | {sha512} | SHA2-Password | SHA2 hashed passwords. -# | {ssha224} | SSHA2-224-Password | SHA2 hashed passwords, with a salt. -# | {ssha256} | SSHA2-256-Password | SHA2 hashed passwords, with a salt. -# | {ssha384} | SSHA2-384-Password | SHA2 hashed passwords, with a salt. -# | {ssha512} | SSHA2-512-Password | SHA2 hashed passwords, with a salt. -# | {ssha3} | SHA3-Password | SHA3 hashed passwords. -# | {ssha3-224} | SHA3-224-Password | SHA3 hashed passwords, with a salt. -# | {ssha3-256} | SHA3-256-Password | SHA3 hashed passwords, with a salt. -# | {ssha3-384} | SHA3-384-Password | SHA3 hashed passwords, with a salt. -# | {ssha3-512} | SHA3-512-Password | SHA3 hashed passwords, with a salt. -# | {nt} | NT-Password | Windows NT hashed passwords. -# | {nthash} | NT-Password | Windows NT hashed passwords. -# | {md4} | NT-Password | Windows NT hashed passwords. -# | {x-nthash} | NT-Password | Windows NT hashed passwords. -# | {ns-mta-md5} | NS-MTA-MD5-Password | Netscape MTA MD5 hashed passwords. -# | {x- orcllmv} | LM-Password | Windows LANMAN hashed passwords. -# | {X- orclntv} | NT-Password | Windows NT hashed passwords. +# | {crypt} | Password.Crypt | Unix-style "crypt"ed passwords. +# | {md5} | Password.MD5 | MD5 hashed passwords. +# | {base64_md5} | Password.MD5 | MD5 hashed passwords. +# | {smd5} | Password.SMD5 | MD5 hashed passwords, with a salt. +# | {sha} | Password.SHA | SHA1 hashed passwords. +# | | Password.SHA1 | SHA1 hashed passwords. +# | {ssha} | Password.SSHA | SHA1 hashed passwords, with a salt. +# | {sha2} | Password.SHA2 | SHA2 hashed passwords. +# | {sha224} | Password.SHA2 | SHA2 hashed passwords. +# | {sha256} | Password.SHA2 | SHA2 hashed passwords. +# | {sha384} | Password.SHA2 | SHA2 hashed passwords. +# | {sha512} | Password.SHA2 | SHA2 hashed passwords. +# | {ssha224} | Password.SSHA2-224 | SHA2 hashed passwords, with a salt. +# | {ssha256} | Password.SSHA2-256 | SHA2 hashed passwords, with a salt. +# | {ssha384} | Password.SSHA2-384 | SHA2 hashed passwords, with a salt. +# | {ssha512} | Password.SSHA2-512 | SHA2 hashed passwords, with a salt. +# | {ssha3} | Password.SHA3 | SHA3 hashed passwords. +# | {ssha3-224} | Password.SHA3-224 | SHA3 hashed passwords, with a salt. +# | {ssha3-256} | Password.SHA3-256 | SHA3 hashed passwords, with a salt. +# | {ssha3-384} | Password.SHA3-384 | SHA3 hashed passwords, with a salt. +# | {ssha3-512} | Password.SHA3-512 | SHA3 hashed passwords, with a salt. +# | {nt} | Password.NT | Windows NT hashed passwords. +# | {nthash} | Password.NT | Windows NT hashed passwords. +# | {md4} | Password.NT | Windows NT hashed passwords. +# | {x-nthash} | Password.NT | Windows NT hashed passwords. +# | {ns-mta-md5} | Password.NS-MTA-MD5 | Netscape MTA MD5 hashed passwords. +# | {x- orcllmv} | Password.LM | Windows LANMAN hashed passwords. +# | {X- orclntv} | Password.NT | Windows NT hashed passwords. # |=== # # The module tries to be flexible when handling the various password for mats. @@ -59,7 +59,7 @@ # and convert them to a format that the server can use. # # If there is no `Password.With-Header` attribute, the module looks for one -# of the `Password.Cleartext`, `NT-Password`, `Crypt-Password`, etc. attributes +# of the `Password.Cleartext`, `Password.NT`, `Password.Crypt`, etc. attributes # as listed in the above table. These attributes should contain the relevant # format password directly, without the header prefix. # diff --git a/raddb/mods-available/smbpasswd b/raddb/mods-available/smbpasswd index 987f86c8807..646196c7f11 100644 --- a/raddb/mods-available/smbpasswd +++ b/raddb/mods-available/smbpasswd @@ -18,7 +18,7 @@ # passwd smbpasswd { filename = /etc/smbpasswd - format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" + format = "*User-Name::Password.LM:Password.NT:SMB-Account-CTRL-TEXT::" hash_size = 100 ignore_nislike = no allow_multiple_keys = no diff --git a/raddb/sites-available/default b/raddb/sites-available/default index abdda7e195b..b58d57594d5 100644 --- a/raddb/sites-available/default +++ b/raddb/sites-available/default @@ -836,7 +836,7 @@ recv Access-Request { # # The `pap` module is also responsible for "normalizing" the # various kinds of "known good" passwords. - # e.g. `NT-Password` may come as a 16 byte blob, or as a + # e.g. `Password.NT` may come as a 16 byte blob, or as a # 32-byte hex string, or as a base-64 encoded string. The # `pap` module will look for common variations of password # encoding, and convert them all to a normal form. @@ -925,7 +925,7 @@ authenticate chap { # # For users who are using MS-CHAP authentication. A back-end # database listed in the "recv Access-Request" section MUST supply -# either a Password.Cleartext attribute, or an NT-Password +# either a Password.Cleartext attribute, or a Password.NT # attribute. Encrypted passwords won't work. # authenticate mschap { diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c index ef2807cf07f..6edc1b5d208 100644 --- a/src/modules/rlm_mschap/rlm_mschap.c +++ b/src/modules/rlm_mschap/rlm_mschap.c @@ -653,7 +653,7 @@ static xlat_action_t mschap_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, return XLAT_ACTION_FAIL; if (mschap_nt_password_hash(buffer, arg->vb_strvalue) < 0) { - REDEBUG("Failed generating NT-Password"); + REDEBUG("Failed generating Password.NT"); *buffer = '\0'; return XLAT_ACTION_FAIL; } @@ -973,7 +973,7 @@ ntlm_auth_err: int ntlen = sizeof(nt_pass_decrypted); if (!nt_password) { - RDEBUG2("Local MS-CHAPv2 password change requires NT-Password attribute"); + RDEBUG2("Local MS-CHAPv2 password change requires Password.NT attribute"); return -1; } else { RDEBUG2("Doing MS-CHAPv2 password change locally"); @@ -1013,7 +1013,7 @@ ntlm_auth_err: if ((nt_pass_decrypted[514] != 0) || (nt_pass_decrypted[515] != 0)) { REDEBUG("Decrypted new password blob claims length > 65536, " - "probably an invalid NT-Password"); + "probably an invalid Password.NT"); return -1; } @@ -1022,7 +1022,7 @@ ntlm_auth_err: */ if (passlen > 512) { REDEBUG("Decrypted new password blob claims length %zu > 512, " - "probably an invalid NT-Password", passlen); + "probably an invalid Password.NT", passlen); return -1; } @@ -1119,7 +1119,7 @@ ntlm_auth_err: RDEBUG2("MS-CHAPv2 password change succeeded: %s", result); /* - * Update the NT-Password attribute with the new hash this lets us + * Update the Password.NT attribute with the new hash this lets us * fall through to the authentication code using the new hash, * not the old one. */ @@ -1169,7 +1169,7 @@ static int CC_HINT(nonnull (1, 2, 4, 5, 6)) do_mschap(rlm_mschap_t const *inst, * No password: can't do authentication. */ if (!password) { - REDEBUG("FAILED: No NT/LM-Password. Cannot perform authentication"); + REDEBUG("FAILED: No Password.NT/LM. Cannot perform authentication"); return -1; } @@ -1571,13 +1571,13 @@ static unlang_action_t mschap_error(rlm_rcode_t *p_result, rlm_mschap_t const *i } -/** Find an NT-Password value, or create one from a Password.Cleartext, or Password.With-Header attribute +/** Find a Password.NT value, or create one from a Password.Cleartext, or Password.With-Header attribute * * @param[out] ephemeral Whether we created a new password * attribute. Usually the caller will * either want to insert this into a * list or free it. - * @param[out] out Our new NT-Password. + * @param[out] out Our new Password.NT. * @param[in] inst Module configuration. * @param[in] request The current request. * @return @@ -1611,7 +1611,7 @@ static int CC_HINT(nonnull(1, 2, 3)) nt_password_find(bool *ephemeral, fr_pair_t /* * If we're doing internal auth, then this is an issue */ - RWDEBUG2("No &control.%s or &control.%s found. Cannot create NT-Password", + RWDEBUG2("No &control.%s or &control.%s found. Cannot create Password.NT", attr_cleartext_password->name, attr_nt_password->name); return -1; @@ -1634,7 +1634,7 @@ found_password: ret = mschap_nt_password_hash(p, password->vp_strvalue); if (ret < 0) { - RERROR("Failed generating NT-Password"); + RERROR("Failed generating Password.NT"); talloc_free(nt_password); if (*ephemeral) TALLOC_FREE(password); return -1; @@ -1930,7 +1930,7 @@ static unlang_action_t CC_HINT(nonnull(1,2,3,4,5,8,9)) mschap_process_v2_respons #ifdef __APPLE__ /* - * No "known good" NT-Password attribute. Try to do + * No "known good" Password.NT attribute. Try to do * OpenDirectory authentication. * * If OD determines the user is an AD user it will return noop, which @@ -1938,7 +1938,7 @@ static unlang_action_t CC_HINT(nonnull(1,2,3,4,5,8,9)) mschap_process_v2_respons * Otherwise OD will determine auth success/fail. */ if (!nt_password && inst->open_directory) { - RDEBUG2("No NT-Password available. Trying OpenDirectory Authentication"); + RDEBUG2("No Password.NT available. Trying OpenDirectory Authentication"); rcode = od_mschap_auth(request, challenge, user_name); if (rcode != RLM_MODULE_NOOP) RETURN_MODULE_RCODE(rcode); } @@ -2077,9 +2077,9 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, } /* - * Look for or create an NT-Password + * Look for or create an Password.NT * - * NT-Password can be NULL here if we didn't find an + * Password.NT can be NULL here if we didn't find an * input attribute, and we're calling out to an * external password store. */ diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c index f5b2ba299ef..379f3f1470f 100644 --- a/src/modules/rlm_pap/rlm_pap.c +++ b/src/modules/rlm_pap/rlm_pap.c @@ -254,7 +254,7 @@ static unlang_action_t CC_HINT(nonnull) pap_auth_smd5(rlm_rcode_t *p_result, uint8_t digest[MD5_DIGEST_LENGTH]; if (known_good->vp_length <= MD5_DIGEST_LENGTH) { - REDEBUG("\"known-good\" SMD5-Password has incorrect length, expected 16 got %zu", known_good->vp_length); + REDEBUG("\"known-good\" Password.SMD5 has incorrect length, expected 16 got %zu", known_good->vp_length); RETURN_MODULE_INVALID; } @@ -286,7 +286,7 @@ static unlang_action_t CC_HINT(nonnull) pap_auth_sha1(rlm_rcode_t *p_result, uint8_t digest[SHA1_DIGEST_LENGTH]; if (known_good->vp_length != SHA1_DIGEST_LENGTH) { - REDEBUG("\"known-good\" SHA1-password has incorrect length, expected 20 got %zu", known_good->vp_length); + REDEBUG("\"known-good\" Password.SHA1 has incorrect length, expected 20 got %zu", known_good->vp_length); RETURN_MODULE_INVALID; } @@ -313,7 +313,7 @@ static unlang_action_t CC_HINT(nonnull) pap_auth_ssha1(rlm_rcode_t *p_result, uint8_t digest[SHA1_DIGEST_LENGTH]; if (known_good->vp_length <= SHA1_DIGEST_LENGTH) { - REDEBUG("\"known-good\" SSHA-Password has incorrect length, expected > 20 got %zu", known_good->vp_length); + REDEBUG("\"known-good\" Password.SSHA has incorrect length, expected > 20 got %zu", known_good->vp_length); RETURN_MODULE_INVALID; } @@ -470,10 +470,10 @@ static inline CC_HINT(nonnull) unlang_action_t pap_auth_pbkdf2_parse(rlm_rcode_t uint8_t hash[EVP_MAX_MD_SIZE]; uint8_t digest[EVP_MAX_MD_SIZE]; - RDEBUG2("Comparing with \"known-good\" PBKDF2-Password"); + RDEBUG2("Comparing with \"known-good\" Password.PBKDF2"); if (len <= 1) { - REDEBUG("PBKDF2-Password is too short"); + REDEBUG("Password.PBKDF2 is too short"); goto finish; } @@ -485,7 +485,7 @@ static inline CC_HINT(nonnull) unlang_action_t pap_auth_pbkdf2_parse(rlm_rcode_t q = memchr(p, scheme_sep, end - p); if (!q) { - REDEBUG("PBKDF2-Password has no component separators"); + REDEBUG("Password.PBKDF2 has no component separators"); goto finish; } @@ -546,12 +546,12 @@ static inline CC_HINT(nonnull) unlang_action_t pap_auth_pbkdf2_parse(rlm_rcode_t p = q + 1; if (((end - p) < 1) || !(q = memchr(p, iter_sep, end - p))) { - REDEBUG("PBKDF2-Password missing iterations component"); + REDEBUG("Password.PBKDF2 missing iterations component"); goto finish; } if ((q - p) == 0) { - REDEBUG("PBKDF2-Password iterations component too short"); + REDEBUG("Password.PBKDF2 iterations component too short"); goto finish; } @@ -567,7 +567,7 @@ static inline CC_HINT(nonnull) unlang_action_t pap_auth_pbkdf2_parse(rlm_rcode_t iterations = strtoul(iterations_buff, &qq, 10); if (*qq != '\0') { REMARKER(iterations_buff, qq - iterations_buff, - "PBKDF2-Password iterations field contains an invalid character"); + "Password.PBKDF2 iterations field contains an invalid character"); goto finish; } @@ -580,11 +580,11 @@ static inline CC_HINT(nonnull) unlang_action_t pap_auth_pbkdf2_parse(rlm_rcode_t slen = fr_base64_decode(&FR_DBUFF_TMP((uint8_t *)&iterations, sizeof(iterations)), &FR_SBUFF_IN((char const *)p, (char const *)q), false, false); if (slen <= 0) { - RPEDEBUG("Failed decoding PBKDF2-Password iterations component (%.*s)", (int)(q - p), p); + RPEDEBUG("Failed decoding Password.PBKDF2 iterations component (%.*s)", (int)(q - p), p); goto finish; } if (slen != sizeof(iterations)) { - REDEBUG("Decoded PBKDF2-Password iterations component is wrong size"); + REDEBUG("Decoded Password.PBKDF2 iterations component is wrong size"); } iterations = ntohl(iterations); @@ -598,12 +598,12 @@ static inline CC_HINT(nonnull) unlang_action_t pap_auth_pbkdf2_parse(rlm_rcode_t if (iterations == 0) iterations = 1; if (((end - p) < 1) || !(q = memchr(p, salt_sep, end - p))) { - REDEBUG("PBKDF2-Password missing salt component"); + REDEBUG("Password.PBKDF2 missing salt component"); goto finish; } if ((q - p) == 0) { - REDEBUG("PBKDF2-Password salt component too short"); + REDEBUG("Password.PBKDF2 salt component too short"); goto finish; } @@ -611,7 +611,7 @@ static inline CC_HINT(nonnull) unlang_action_t pap_auth_pbkdf2_parse(rlm_rcode_t slen = fr_base64_decode(&FR_DBUFF_TMP(salt, talloc_array_length(salt)), &FR_SBUFF_IN((char const *) p, (char const *)q), false, false); if (slen <= 0) { - RPEDEBUG("Failed decoding PBKDF2-Password salt component"); + RPEDEBUG("Failed decoding Password.PBKDF2 salt component"); goto finish; } salt_len = (size_t)slen; @@ -619,19 +619,19 @@ static inline CC_HINT(nonnull) unlang_action_t pap_auth_pbkdf2_parse(rlm_rcode_t p = q + 1; if ((q - p) == 0) { - REDEBUG("PBKDF2-Password hash component too short"); + REDEBUG("Password.PBKDF2 hash component too short"); goto finish; } slen = fr_base64_decode(&FR_DBUFF_TMP(hash, sizeof(hash)), &FR_SBUFF_IN((char const *)p, (char const *)end), false, false); if (slen <= 0) { - RPEDEBUG("Failed decoding PBKDF2-Password hash component"); + RPEDEBUG("Failed decoding Password.PBKDF2 hash component"); goto finish; } if ((size_t)slen != digest_len) { - REDEBUG("PBKDF2-Password hash component length is incorrect for hash type, expected %zu, got %zd", + REDEBUG("Password.PBKDF2 hash component length is incorrect for hash type, expected %zu, got %zd", digest_len, slen); RHEXDUMP2(hash, slen, "hash component"); @@ -679,7 +679,7 @@ static inline unlang_action_t CC_HINT(nonnull) pap_auth_pbkdf2(rlm_rcode_t *p_re uint8_t const *p = known_good->vp_octets, *q, *end = p + known_good->vp_length; if (end - p < 2) { - REDEBUG("PBKDF2-Password too short"); + REDEBUG("Password.PBKDF2 too short"); RETURN_MODULE_INVALID; } @@ -728,7 +728,7 @@ static inline unlang_action_t CC_HINT(nonnull) pap_auth_pbkdf2(rlm_rcode_t *p_re '$', '$', '$', false, password); } - REDEBUG("Can't determine format of PBKDF2-Password"); + REDEBUG("Can't determine format of Password.PBKDF2"); RETURN_MODULE_INVALID; } @@ -742,12 +742,12 @@ static unlang_action_t CC_HINT(nonnull) pap_auth_nt(rlm_rcode_t *p_result, uint8_t digest[MD4_DIGEST_LENGTH]; uint8_t ucs2[512]; - RDEBUG2("Comparing with \"known-good\" NT-Password"); + RDEBUG2("Comparing with \"known-good\" Password.NT"); fr_assert(password->da == attr_user); if (known_good->vp_length != MD4_DIGEST_LENGTH) { - REDEBUG("\"known good\" NT-Password has incorrect length, expected 16 got %zu", known_good->vp_length); + REDEBUG("\"known good\" Password.NT has incorrect length, expected 16 got %zu", known_good->vp_length); RETURN_MODULE_INVALID; } @@ -778,10 +778,10 @@ static unlang_action_t CC_HINT(nonnull) pap_auth_lm(rlm_rcode_t *p_result, char charbuf[32 + 1]; ssize_t len; - RDEBUG2("Comparing with \"known-good\" LM-Password"); + RDEBUG2("Comparing with \"known-good\" Password.LM"); if (known_good->vp_length != MD4_DIGEST_LENGTH) { - REDEBUG("\"known good\" LM-Password has incorrect length, expected 16 got %zu", known_good->vp_length); + REDEBUG("\"known good\" Password.LM has incorrect length, expected 16 got %zu", known_good->vp_length); RETURN_MODULE_INVALID; } @@ -808,20 +808,20 @@ static unlang_action_t CC_HINT(nonnull) pap_auth_ns_mta_md5(rlm_rcode_t *p_resul uint8_t buff[FR_MAX_STRING_LEN]; uint8_t buff2[FR_MAX_STRING_LEN + 50]; - RDEBUG2("Using NT-MTA-MD5-Password"); + RDEBUG2("Using Password.NT-MTA-MD5"); if (known_good->vp_length != 64) { - REDEBUG("\"known good\" NS-MTA-MD5-Password has incorrect length, expected 64 got %zu", + REDEBUG("\"known good\" Password.NS-MTA-MD5 has incorrect length, expected 64 got %zu", known_good->vp_length); RETURN_MODULE_INVALID; } /* - * Sanity check the value of NS-MTA-MD5-Password + * Sanity check the value of Password.NS-MTA-MD5 */ if (fr_base16_decode(NULL, &FR_DBUFF_TMP(digest, sizeof(digest)), &FR_SBUFF_IN(known_good->vp_strvalue, known_good->vp_length), false) != 16) { - REDEBUG("\"known good\" NS-MTA-MD5-Password has invalid value"); + REDEBUG("\"known good\" Password.NS-MTA-MD5 has invalid value"); RETURN_MODULE_INVALID; } @@ -831,7 +831,7 @@ static unlang_action_t CC_HINT(nonnull) pap_auth_ns_mta_md5(rlm_rcode_t *p_resul * This really: sizeof(buff) - 2 - 2*32 - strlen(passwd) */ if (password->vp_length >= (sizeof(buff) - 2 - 2 * 32)) { - REDEBUG("\"known good\" NS-MTA-MD5-Password is too long"); + REDEBUG("\"known good\" Password.NS-MTA-MD5 is too long"); RETURN_MODULE_INVALID; }