bug-gnu-radius
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-gnu-radius] Why GNU Radius does not follow RFC in client/server


From: Yuri Kulaghin
Subject: Re: [Bug-gnu-radius] Why GNU Radius does not follow RFC in client/server exchange?
Date: Tue, 5 Mar 2002 16:32:29 +0300 (MSK)

On Tue, 5 Mar 2002, Sergey Poznyakoff wrote:

> > As I see in the sources GNU Radius makes Authenticator field in packet
> > header as random bytes set, i.e. without any using of the shared secret!
> 
> You seem to have misunderstood the RFC. The request authenticator sent
> by the client application _is a random number_. This should not be
> confused with the authenticator returned by the server side. The
> following should explain this:
> 
> Quoting RFC 2138 (Page 10):
> 
> Request Authenticator
> 
>       In Access-Request Packets, the Authenticator value is a 16 octet
>       random number, called the Request Authenticator.  The value SHOULD
>       be unpredictable and unique over the lifetime of a secret (the
>       password shared between the client and the RADIUS server)
> 
[skip]

You try to explain me only RFC 2138, but essential part of RADIUS is
RFC 2139/2866 (Accounting). Making of authenticator field in accounting
packets is very different from one in authentication packets. But GNU
Radius do not any differences in packet types! It is incompatible now
in accounting with other RADIUS servers/clients which follow RFCs more
accurately.

> > Moreover, Authenticators of all packets during one second are equal
> > because srand(time(NULL)) is called at each Authenticator making!
> 
> A method providing for a better enthropy is now being developed.
> 

If GNU Radius will call srand(time(NULL)) at EACH Authenticator making
any method will be useless!

> > What can it say about GNU Radius secure after that?
> 
> This all being said, it is up to you to decide.
> 
> Regards,
> Sergey
> 

-- 
Yuri.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]