Freeradius用户运营商 [英] Freeradius users operators
问题描述
我遇到了一个问题,我在Freeradius users 文件中无法理解. 我的目标只是使用密码"test"对外部用户"shad"进行身份验证. 我在/etc/raddb/users中添加了以下行: shad Cleartext-Password ==测试" 结果是拒绝.如果将"==" 运算符更改为":=",则身份验证成功. 所以我的问题是: 为什么我无法使用"==" 运算符,而FreeRadius文档却告诉您: 属性==值 作为检查项,它匹配请求中是否存在命名属性,并具有给定值."
I faced with one issue, which I can't understand in Freeradius users file. My goal is just authenticate external user "shad" with password "test". I added line in /etc/raddb/users the following line: shad Cleartext-Password == "test" Result was Reject. If I change "==" operator to ":=" Authentication is successful. So my question is the following: Why I can't use "==" operator while FreeRadius documentation tells: "Attribute == Value As a check item, it matches if the named attribute is present in the request, AND has the given value."
还有一个问题. 在某些资源中,我面临着这样的局面: shad Auth-Type:=本地,用户密码==测试" 我试过了,不起作用.响应是拒绝日志: [pap]警告!找不到该用户的已知有效"密码.因此,身份验证可能会失败.
And one more question. In some resourses I faced with such lines: shad Auth-Type := Local, User-Password == "test" I tried and it doesn't work. Responce is Reject with log: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
推荐答案
用户文件的工作方式
对于以下答案,对是指属性值对(AVP),即由属性,运算符和值组成的元组.
How the users file works
For the answer below, pairs is referring to Attribute Value Pairs (AVPs), that is, a tuple consisting of an attribute an operator and a value.
可从用户文件访问的属性(对)共有三个列表.这些列表与特定请求相关联.
There are three lists of attribute(s) (pairs) that are accessible from the users file. These lists are associated with a specific request.
- 请求-包含通过网络从NAS(网络访问服务器)收到的原始请求中的所有对.
- 控件-最初不包含任何对,但填充有控制模块如何处理当前请求的对.这是通过用户文件或unlang(虚拟服务器中使用的freeRADIUS策略语言)完成的.
- 回复-包含要通过网络发送回NAS的对.
- request - Contains all the pairs from the original request received from the NAS (Network Access Server) via the network.
- control - Initially contains no pairs, but is populated with pairs that control how modules process the current request. This is done from the users file or unlang (the freeRADIUS policy language used in virutal servers).
- reply - Contains pairs you want to send back to the NAS via the network.
用户文件模块根据条目和运算符中的配对位置确定要用于插入/搜索的列表.
The users file module determines the list it's going to use for inserting/searching by where the pair is listed in the entry and the operator.
该条目的第一行包含必须匹配的 check 对,才能使用该条目.它还包含 control 对,如果所有 check 对都匹配,则要插入到控制列表中.
The first line of the entry contains check pairs that must match in order for the entry to be used. It also contains control pairs, those you want to be inserted into the control list if all the check pairs match.
注意:配对对的排列顺序无关紧要.除非所有 check 对评估为true,否则不会插入 control 对.
Note: It doesn't matter which order the pairs are listed in. control pairs will not be inserted unless all the check pairs evaluate to true.
check 和 control 对通过使用的运算符进行区分.如果使用赋值运算符,即':='或'=',则该对将被视为 control 对.如果使用等号运算符,例如'>','<','==','> =','< =','=〜',则该对将被视为 check 对.
check and control pairs are distinguished by the operator used. If an assignment operator is used i.e. ':=' or '=' then the pair will be treated as a control pair. If an equality operator such as '>', '<', '==', '>=', '<=', '=~' is used, the pair will be treated as a check pair.
同一条目中的后续行仅包含 reply 对.如果所有 check 对都匹配,则 reply 对将插入到回复列表中.
Subsequent lines in the same entry contain only reply pairs. If all check pairs match, reply pairs will be inserted into the reply list.
Cleartext-Password严格来说是 control 对.它不应出现在任何其他列表中.
Cleartext-Password is strictly a control pair. It should not be present in any of the other lists.
Cleartext-Password是一组属性之一,应包含参考"(或已知有效")密码,即用户密码的本地副本.此集中的另一对示例是SSHA-Password-它包含用户密码的盐化SHA哈希.
Cleartext-Password is one of a set of attributes, which should contain the 'reference' (or 'known good') password, that is, the local copy of the users password. An example of another pair in this set is SSHA-Password - this contains a salted SHA hash of the users password.
参考密码对由服务器中的模块搜索,该模块使用用户密码"对"rlm_pap"对用户进行身份验证.
The reference password pairs are searched for by the module in the server which deals with authenticating users using the 'User-Password' pair, 'rlm_pap'.
User-Password严格来说是一个 request 对.它不应出现在任何其他列表中.
User-Password is strictly a request pair. It should not be present in any of the other lists.
用户密码包含在来自NAS的请求中.它包含用户提供给NAS的密码的纯文本版本.为了对用户进行身份验证,模块需要将用户密码的内容与 control 对(如Cleartext-Password)进行比较.
User-Password is included in the request from the NAS. It contains the plaintext version of the password the user provided to the NAS. In order to authenticate a user, a module needs to compare the contents of User-Password with a control pair like Cleartext-Password.
在设置参考密码的用户文件条目中,您将看到以下条目:
In a users file entry when setting reference passwords you'll see entries like:
my_username Cleartext-Password := "known_good_password"
也就是说,如果用户名与左侧的值(my_username)相匹配,则插入控件对Cleartext-Password,其值为"known_good_password".
That is, if the username matches the value on the left (my_username), then insert the control pair Cleartext-Password with the value "known_good_password".
回答第一个问题的原因:
To answer the first question the reason why:
shad Cleartext-Password == "test"
不起作用,这是因为您要告诉文件模块在请求列表中搜索在请求列表中不存在并且永远不应在请求列表中存在的一对.
Does not work, it is because you are telling the files module to search in the request list, for a pair which does not exist in the request list, and should never exist in the request list.
您现在可能在想,哦,我将改用User-Password =="test",它将起作用.不幸的是不会.如果密码匹配,则条目将匹配,但仍然会拒绝用户,有关原因,请参见下文.
You might now be thinking oh, i'll use User-Password == "test" instead, and it'll work. Unfortunately it won't. If the password matches then the entry will match, but the user will still be rejected, see below for why.
Auth-Type严格是 control 对.它不应出现在任何其他列表中.
Auth-Type is strictly a control pair. It should not be present in any of the other lists.
服务器中有三个主要部分,用于处理请求授权",验证",后验证".
There are three main sections in the server for dealing with requests 'authorize', 'authenticate', 'post-auth'.
authorize是信息收集部分.在这里进行数据库查找以授权用户并检索参考密码.这也是确定Auth-Type的地方,即我们要为用户执行的身份验证的类型.
authorize is the information gathering section. This is where database lookups are done to authorise the user, and to retrieve reference passwords. It's also where Auth-Type is determined, that is, the type of authentication we want to perform for the user.
Authenticate是调用特定模块执行身份验证的位置.该模块由Auth-Type确定.
Authenticate is where a specific module is called to perform authentication. The module is determined by Auth-Type.
Post-Auth主要用于记录日志,并应用其他策略,Post-Auth中运行的模块由从Authenticate中运行的模块返回的响应确定.
Post-Auth is mainly for logging, and applying further policies, the modules run in Post-Auth are determined by the response returned from the module run in Authenticate.
authorize中的模块检查请求,如果他们认为可以验证用户身份,并且未设置Auth-Type,则将其设置为自己.
The modules in authorize examine the request, and if they think they can authenticate the user, and Auth-Type is not set, they set it to themselves.
如果rlm_pap模块在请求中找到用户密码,它将设置Auth-Type ='pap'.
The rlm_pap module will set Auth-Type = 'pap' if it finds the User-Password in the request.
如果未设置身份验证类型,则请求将被拒绝.
If no Auth-Type is set the request will be rejected.
因此,要回答第二个问题,您将强制执行pap身份验证,这是错误的,应该让rlm_pap设置Auth-Type,然后对密码进行相等性检查,而不是设置控制对. rlm_pap使用.
So to answer your second question, you're forcing pap authentication, which is wrong, you should let rlm_pap set the Auth-Type, and then you're doing an equality check for the password instead of setting the control pair which rlm_pap uses.
当rlm_pap以身份验证方式运行时,它会寻找上述参考"密码集中的一个成员,如果找不到,则会拒绝该请求,这就是上面的情况.
When rlm_pap runs in authenticate, it looks for a member of the set of 'reference' passwords described above, and if it can't find one, it rejects the request, this is what's happening above.
还有一个魔术" Auth-Type,即接受",它会完全跳过身份验证部分并仅接受用户.如果要用于不使用rlm_pap进行明文密码比较,则可以使用:
There's also a 'magic' Auth-Type, 'Accept', which skips the authenticate section completely and just accepts the user. If you want the used to do cleartext password comparison without rlm_pap, you can use:
shad Auth-Type := Accept, User-Password == "test"
这篇关于Freeradius用户运营商的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
