On Wed, May 24, 2006 at 02:14:17PM +0200, Henrik Nordstrom wrote:
> tis 2006-05-23 klockan 12:53 -0400 skrev Michael W. Lucas:
>
> > At times it has seemed that clients attempting to authenticate are
> > being rejected despite having good passwords. Similarly, users have
> > been able to get out to the Internet without a legitimate username and
> > password. Squid's debugging output shows that the authenticator was
> > returning an "ok" response for these nonexistent usernames and
> > passwords. At the time this happened, we would see "Warning: Received
> > invalid reply digest from server" errors. A "squid -k reconfigure"
> > made those go away by restarting the authenticator children, of
> > course, but running that once a minute is not an ideal solution.
>
> The "invalid digest" indicates the radius server and squid_radius_auth
> didn't agree on the shared secret authentication.
That's what I guessed, but I thought I'd leave that to you guys.
> As the problem is seen with both radius client implementations I would
> suspect there is something fishy going on with your server making it
> send out either malformed responses or changing between different
> secrets..
Could be. This happened on the previous server (running RHEL ES 3)
and this new server (running RHEL ES 4).
> > At the time of the error, netstat -na -u on the RHEL box shows:
> >
> > udp 2352 0 10.184.1.94:33009 10.184.1.56:1812 ESTABLISHED
>
> > lsof shows that the process with the big recv queue is the
> > authenticator. This happens with both squid_radius_auth and my perl
> > applet.
>
> This is a good hint, especially if combined with the digest error
> above..
One way I could trigger this was to run squid_radius_auth in a tight
loop. Give it enough credentials close enough together and it chokes.
> I think I know what is going in squid_radius_auth here. The code dealing
> with retransmits looks a bit fishy..
Any assistance would be vastly appreciated.
In case it helps, here's my perl Radius code. Anyone who has read the
test for auth::radius should recognize its origins.
#!/usr/bin/perl
#$Id: radius_mwl.pl,v 1.2 2006/05/22 14:49:34 system_mwl Exp $
#basic Radius authenticator, for debugging
$host="x.y.z.a"
$secret = secret1;
$|=1;
use Authen::Radius;
use Sys::Syslog;
openlog("squid", "pid", "local0");
$request = new Authen::Radius(Host => $host, Secret => $secret);
# $request = new Authen::Radius(Host => $host, Secret => $secret, Debug => 1);
while (<STDIN>) {
chop ($_);
@creds=split (/ /, $_);
if ($request -> check_pwd(@creds[0], @creds[1])) {
print "OK\n";
syslog (notice, "user @creds[0] radius auth correct");
} else {
print "ERR\n";
syslog (notice, "user @creds[0] radius auth error");
}
}
--
Michael W. Lucas mwlucas@xxxxxxxxxxx, mwlucas@xxxxxxxxxxxxxxxxxxxx
http://www.BlackHelicopters.org/~mwlucas/
Latest book: PGP & GPG -- http://www.pgpandgpg.com
"The cloak of anonymity protects me from the nuisance of caring." -Non Sequitur
Attachment:
pgpSnkHWPDgj8.pgp
Description: PGP signature
