(RADIATOR) Radiator dying on unusual usernames

Hugh Irvine hugh at open.com.au
Wed Jul 30 20:28:37 CDT 2003


Hello Barry -

You can use the global UsernameCharset parameter in the configuration  
file to restrict usernames to a defined set of characters (and reject  
anything else). See section 6.4.30 in the Radiator 3.6 reference manual  
("doc/ref.html").

I have also copied Mike on this mail, as he may have other comments.

BTW - you will sometimes see username and password strings like you  
show below from modems that have not trained properly and give you  
rubbish.

regards

Hugh


On Thursday, Jul 31, 2003, at 10:40 Australia/Melbourne, Barry Brown  
wrote:

> Hi,
>
> We just installed Radiator and are running into situations where it  
> just rolls over and dies. Sometimes it happens after just a few hours,  
> sometime I have to wait a day or so. The latest incident happened a  
> few hours ago and I captured it on the console and in log files. It  
> looks like Syslog.pm is choking on the data it's being given. It could  
> be because of the garbage username and password. I can't say for sure  
> whether the previous incidents were caused by the same thing since I  
> didn't have the log files set up to capture them.
>
> Should radiator be sanitizing the data before working with it?
>
> Thanks,
>
> Barry
>
>
>
> Console output:
>
> bobbidi root # radiusd -config_file /etc/radiusd.conf -foreground
> Modification of a read-only value attempted at  
> /usr/lib/perl5/5.8.0/i686-linux/Sys/Syslog.pm line 296.
> Attempt to free unreferenced scalar during global destruction.
>
>
> Configuration file (no secrets):
>
> #Foreground
> #LogStdout
> LogDir          /var/log/radius
> DbDir           /etc/raddb
> PidFile         /var/run/radiusd/radiusd.pid
> # User a lower trace level in production systems:
> Trace           4
> AuthPort        1645,1812
> AcctPort        1646,1813
>
> <ClientListSQL>
>         DBSource        dbi:mysql:radius:123.4.5.6
>         DBUsername      XXXXXX
>         DBAuth          XXXXXXXX
>         GetClientQuery  select ipaddr,secret from nas
> </ClientListSQL>
>
> <Realm DEFAULT>
>         <AuthBy SQL>
>                 DBSource        dbi:mysql:radius:123.4.5.6
>                 DBUsername      XXXXXX
>                 DBAuth          XXXXXXX
>                 AuthSelect select Value from radcheck where UserName =  
> %0
>                 AuthColumnDef 0, User-Password, check
>                 AddToReply Service-Type=Framed-User,\
>                         Framed-Protocol=PPP,\
>                         Framed-Compression=Van-Jacobsen-TCP-IP
>         </AuthBy>
>
>         PasswordLogFileName     /var/log/radius/password.log
>
>         <AuthLog SYSLOG>
>                 Facility user
>                 Priority info
>                 LogSuccess 0
>                 LogFailure 1
>                 # The defaults for below are %1:%U:%P:OK and  
> %1:%U:%P:FAIL
>                 SuccessFormat %U:OK
>                 FailureFormat %U:%P:FAIL
>         </AuthLog>
>         #<AuthLog SQL>
>         #       DBSource        dbi:mysql:radius:123.4.5.6
>         #       DBUsername      XXXXXXX
>         #       DBAuth          XXXXXXX
>         #</AuthLog>
> </Realm>
>
>
> Last few lines of the authlog (generated by syslog):
>
> Jul 30 11:23:53 bobbidi /usr/bin/radiusd[11372]: had-e::FAIL: No such  
> user
> Jul 30 11:24:43 bobbidi /usr/bin/radiusd[11372]: ::FAIL: No such user
> Jul 30 11:25:59 bobbidi /usr/bin/radiusd[11372]: ::FAIL: No such user
> Jul 30 11:26:10 bobbidi /usr/bin/radiusd[11372]: smsshanghai::FAIL:  
> Bad Password
> Jul 30 11:26:51 bobbidi /usr/bin/radiusd[11372]: john23::FAIL: Bad  
> Password
> Jul 30 11:28:45 bobbidi /usr/bin/radiusd[11372]: john23::FAIL: Bad  
> Password
> Jul 30 11:29:26 bobbidi /usr/bin/radiusd[11372]:  
> EBR=11-~d44KlN0mu#-k7}R%A-m1UfLp:G*t\?yBzb|.3\'>Ccp4&&#Rn\anJ{N/ 
> \(s[+5yx+<x#5a\Q2!i|7U6{:E!'5&>:FAIL: No such user
> Jul 30 11:29:26 bobbidi /usr/bin/radiusd[11372]: k-5TK:0I:FAIL: No  
> such user
>
> Finally, the last few entries from the logfile:
>
> Wed Jul 30 11:29:26 2003: DEBUG: Packet dump:
> *** Received from 66.81.0.128 port 3598 ....
> Code:       Access-Request
> Identifier: 192
> Authentic:  ;<203><191><152>~<163><247><177><14>*q<1>jw<184><208>
> Attributes:
>         User-Name = "EBR=11-~d44KlN%Xmu#-k7}R%A-m1UfLp"
>         NAS-IP-Address = 66.81.7.27
>         NAS-Port = 27213
>         NAS-Port-Type = Async
>         Service-Type = Login-User
>         Calling-Station-Id = "5306761012"
>         Ascend-Calling-Id-Type-Of-Num = Unknown
>         Ascend-Calling-Id-Number-Plan = Unknown
>         Called-Station-Id = "5305031325"
>         Acct-Session-Id = "401591860"
>         Ascend-Data-Rate = 26400
>         Ascend-Xmit-Rate = 26400
>         User-Password =  
> "A<28><240><183><10>3Yi<192>K<162><2><3>U7m<181>s<186>6<214><14>2<188>L 
> <221>h<185>~<7>{<236><4>$  
> <237><245><245><26><168>q<196><8><30>~@w<226>70I<226><251><8>)"N<227><5 
> >k<17>4=<21>"
>
> Wed Jul 30 11:29:26 2003: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Wed Jul 30 11:29:26 2003: DEBUG:  Deleting session for  
> EBR=11-~d44KlN%Xmu#-k7}R%A-m1UfLp, 66.81.7.27, 27213
> Wed Jul 30 11:29:26 2003: DEBUG: Handling with Radius::AuthSQL
> Wed Jul 30 11:29:26 2003: DEBUG: Handling with Radius::AuthSQL:
> Wed Jul 30 11:29:26 2003: DEBUG: Query is: 'select Value from radcheck  
> where UserName = 'EBR=11-~d44KlN%Xmu#-k7}R%A-m1UfLp'':
>
> Wed Jul 30 11:29:26 2003: DEBUG: Radius::AuthSQL looks for match with  
> EBR=11-~d44KlN%Xmu#-k7}R%A-m1UfLp
> Wed Jul 30 11:29:26 2003: DEBUG: Query is: 'select Value from radcheck  
> where UserName = 'DEFAULT'':
>
> Wed Jul 30 11:29:26 2003: INFO: Access rejected for  
> EBR=11-~d44KlN%Xmu#-k7}R%A-m1UfLp: No such user
> Wed Jul 30 11:29:26 2003: DEBUG: Packet dump:
> *** Sending to 66.81.0.128 port 3598 ....
> Code:       Access-Reject
> Identifier: 192
> Authentic:  ;<203><191><152>~<163><247><177><14>*q<1>jw<184><208>
> Attributes:
>         Reply-Message = "Request Denied"
>
> Wed Jul 30 11:29:26 2003: DEBUG: Packet dump:
> *** Received from 66.81.0.128 port 3598 ....
> Code:       Access-Request
> Identifier: 193
> Authentic:  <175>l<22><253><21>NP<243><203><233>Elm<13><<143>
> Attributes:
>         User-Name = "alewis"
>         NAS-IP-Address = 66.81.7.11
>         NAS-Port = 26724
>         NAS-Port-Type = Async
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         Calling-Station-Id = "5302724813"
>         Ascend-Calling-Id-Type-Of-Num = Unknown
>         Ascend-Calling-Id-Number-Plan = Unknown
>         Called-Station-Id = "5302051325"
>         Acct-Session-Id = "398300071"
>         Ascend-Endpoint-Disc =  
> "<1><204><25>[<3>x<226>D<<162><13>O<133><195>><29>:"
>         Ascend-Data-Rate = 26400
>         Ascend-Xmit-Rate = 50667
>         User-Password =  
> ";<182><168><225><243><146>L*'8<251>t<161><191><127><164>"
>
> Wed Jul 30 11:29:26 2003: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Wed Jul 30 11:29:26 2003: DEBUG:  Deleting session for lewis,  
> 66.81.7.11, 26724
> Wed Jul 30 11:29:26 2003: DEBUG: Handling with Radius::AuthSQL
> Wed Jul 30 11:29:26 2003: DEBUG: Handling with Radius::AuthSQL:
> Wed Jul 30 11:29:26 2003: DEBUG: Query is: 'select Value from radcheck  
> where UserName = 'alewis'':
>
> Wed Jul 30 11:29:26 2003: DEBUG: Radius::AuthSQL looks for match with  
> alewis
> Wed Jul 30 11:29:26 2003: DEBUG: Radius::AuthSQL ACCEPT:
> Wed Jul 30 11:29:26 2003: DEBUG: Access accepted for alewis
> Wed Jul 30 11:29:26 2003: DEBUG: Packet dump:
> *** Sending to 66.81.0.128 port 3598 ....
> Code:       Access-Accept
> Identifier: 193
> Authentic:  <175>l<22><253><21>NP<243><203><233>Elm<13><<143>
> Attributes:
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         Framed-Compression = Van-Jacobsen-TCP-IP
>
> Wed Jul 30 11:29:26 2003: DEBUG: Packet dump:
> *** Received from 66.81.0.128 port 3598 ....
> Code:       Access-Request
> Identifier: 195
> Authentic:  ;<203><191><152>~<163><247><177><14>*q<1>jw<184><208>
> Attributes:
>         User-Name = "k-5TK"
>         NAS-IP-Address = 66.81.7.27
>         NAS-Port = 27213
>         NAS-Port-Type = Async
>         Service-Type = Login-User
>         Calling-Station-Id = "5306761012"
>         Ascend-Calling-Id-Type-Of-Num = Unknown
>         Ascend-Calling-Id-Number-Plan = Unknown
>         Called-Station-Id = "5305031325"
>         Acct-Session-Id = "401591860"
>         Ascend-Data-Rate = 26400
>         Ascend-Xmit-Rate = 26400
>         User-Password = "6<127><132><235>5J<27><19><162>7<140>1_r<9>."
>
> Wed Jul 30 11:29:26 2003: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Wed Jul 30 11:29:26 2003: DEBUG:  Deleting session for k-5TK,  
> 66.81.7.27, 27213
> Wed Jul 30 11:29:26 2003: DEBUG: Handling with Radius::AuthSQL
> Wed Jul 30 11:29:26 2003: DEBUG: Handling with Radius::AuthSQL:
> Wed Jul 30 11:29:26 2003: DEBUG: Query is: 'select Value from radcheck  
> where UserName = 'k-5TK'':
>
> Wed Jul 30 11:29:26 2003: DEBUG: Radius::AuthSQL looks for match with  
> k-5TK
> Wed Jul 30 11:29:26 2003: DEBUG: Query is: 'select Value from radcheck  
> where UserName = 'DEFAULT'':
>
> Wed Jul 30 11:29:26 2003: INFO: Access rejected for k-5TK: No such user
> Wed Jul 30 11:29:26 2003: DEBUG: Packet dump:
> *** Sending to 66.81.0.128 port 3598 ....
> Code:       Access-Reject
> Identifier: 195
> Authentic:  ;<203><191><152>~<163><247><177><14>*q<1>jw<184><208>
> Attributes:
>         Reply-Message = "Request Denied"
>
> Wed Jul 30 11:29:26 2003: DEBUG: Packet dump:
> *** Received from 66.81.0.128 port 3598 ....
> Code:       Access-Request
> Identifier: 196
> Authentic:  ;<203><191><152>~<163><247><177><14>*q<1>jw<184><208>
> Attributes:
>         User-Name =  
> "R99%KDF{j"kk$B#(5#W>l2TFav%A?<OPfjxt?>~.fu&Q15gj}yfxB;y;9"
>         NAS-IP-Address = 66.81.7.27
>         NAS-Port = 27213
>         NAS-Port-Type = Async
>         Service-Type = Login-User
>         Calling-Station-Id = "5306761012"
>         Ascend-Calling-Id-Type-Of-Num = Unknown
>         Ascend-Calling-Id-Number-Plan = Unknown
>         Called-Station-Id = "5305031325"
>         Acct-Session-Id = "401591860"
>         Ascend-Data-Rate = 26400
>         Ascend-Xmit-Rate = 26400
>         User-Password =  
> "IV<236><168><13>4!x<139>z<175>EiT7z<22>f<24><131><163><155><141>^<247> 
> <5>L~<244><252>7M|<219>]U<196>:<247><164><234><155><172><146>:<186><140 
> ><247><168>2B<134><174><166>w<205><31><146><184><239><142>#<144>7<216>v 
> <231><220><160>>Q<127><22><196><184><247>y<240>#{&ok<169>e<145><232><20 
> 1><155><205><29>$<177>me<179><143><218>o?v<20><6><211>e<175><27><200><1 
> 29><220><21><207>%x<206>v<222>_<202><27><168>Q{`7<224>.)<23><143>d8<8>< 
> 169><211>?V<254>c{<253><20>6<199><30>!<22>x<141><7><136><159><168><211> 
> <190>)f<20>J"
>
> Wed Jul 30 11:29:26 2003: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Wed Jul 30 11:29:26 2003: DEBUG:  Deleting session for  
> R99%KDF{j"kk$B#(5#W>l2TFav%A?<OPfjxt?>~.fu&Q15gj}yfxB;y;9, 66.81.7.27,  
> 27213
> Wed Jul 30 11:29:26 2003: DEBUG: Handling with Radius::AuthSQL
> Wed Jul 30 11:29:26 2003: DEBUG: Handling with Radius::AuthSQL:
> Wed Jul 30 11:29:26 2003: DEBUG: Query is: 'select Value from radcheck  
> where UserName =  
> 'R99%KDF{j\"kk$B#(5#W>l2TFav%A?<OPfjxt?>~.fu&Q15gj}yfxB;y;9'':
>
> Wed Jul 30 11:29:26 2003: DEBUG: Radius::AuthSQL looks for match with  
> R99%KDF{j"kk$B#(5#W>l2TFav%A?<OPfjxt?>~.fu&Q15gj}yfxB;y;9
> Wed Jul 30 11:29:26 2003: DEBUG: Query is: 'select Value from radcheck  
> where UserName = 'DEFAULT'':
>
> Wed Jul 30 11:29:26 2003: INFO: Access rejected for  
> R99%KDF{j"kk$B#(5#W>l2TFav%A?<OPfjxt?>~.fu&Q15gj}yfxB;y;9: No such > user
>
>
> A few lines from Syslog.pm around line 296:
>
>     unless ($whoami) {
>         ($whoami = getlogin) ||
>             ($whoami = getpwuid($<)) ||
>                 ($whoami = 'syslog');
>     }
>
>     $whoami .= "[$$]" if $lo_pid;
>
>     $mask =~ s/%m/$!/g;
>     $mask .= "\n" unless $mask =~ /\n$/;
>     $message = sprintf ($mask, @_);     #        <-- This is 296
>
>     $sum = $numpri + $numfac;
>     my $buf = "<$sum>$whoami: $message\0";
>
>     # it's possible that we'll get an error from sending
>     # (e.g. if method is UDP and there is no UDP listener,
>     # then we'll get ECONNREFUSED on the send). So what we
>     # want to do at this point is to fallback onto a different
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list