Description of problem:
The maximum length of Tunnel-password attribute seems to the 249 characters according the specifications (the is one octet to store the value + there are some other octets used for header). If longer password is set, radiusd accepts it (do not report error and starts), but then the length is truncated to usable value.
That is not intuitive and may confuse users. If the length is over 1022 characters the radiusd simply do not start end report error. IMO, it should be the same for lengths which can not be sent over the protocol (i.e. 250 and more)
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Set up a test user with Tunnel-password (length 250 characters), eg:
testuser250 Cleartext-Password := passme
Tunnel-Password = PjHzPhdzLzhZELZG7oD5LPW9vpkN0Q3L7n11wrsao1wmsKRrSkeGGxYiP8wJTfNjKAE4pNE1cdmdu574XmtkCHOPQBGDXeYc04iqWa6fqZVyzHaQIQKuBHFz19T2PgOGKWiV2qRtmdar9ReRH72HDvfJQPBBgXIe7ic956pOL539GpsYIdrpikaZ2UEiVZBcgblMbEp8Brmd4m9e0rFbkkAXLHfu736URPnaaL77CKc1GRgsrSV5nTVPfy
2. Run the server
3. Test with radtest:
# radtest testuser250 passme localhost 0 testing123
Sent Access-Request Id 223 from 0.0.0.0:41687 to 127.0.0.1:1812 length 92
User-Name = "email@example.com"
User-Password = "passme"
NAS-IP-Address = 192.168.100.70
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "passme"
Received Access-Accept Id 223 from 127.0.0.1:1812 to 0.0.0.0:0 length 275
Tunnel-Password:0 = "PjHzPhdzLzhZELZG7oD5LPW9vpkN0Q3L7n11wrsao1wmsKRrSkeGGxYiP8wJTfNjKAE4pNE1cdmdu574XmtkCHOPQBGDXeYc04iqWa6fqZVyzHaQIQKuBHFz19T2PgOGKWiV2qRtmdar9ReRH72HDvfJQPBBgXIe7ic956pOL539GpsYIdrpikaZ2UEiVZBcgblMbEp8Brmd4m9e0rFbkkAXLHfu736URPnaaL77CKc1GRgsrSV5nTVPf"
^^^ Note the missing 'y' at the end of Tunnel-password attribute.
Patrik / Filip,
Do either of you know if this is fixed on the RHEL 8 builds? I swear I've seen something related to this upstream, but I'm not sure if it is fixed in 3.0.17 or something newer (definitely would be in 3.0.19 **if** my memory was correct).
IIRC, this is a limitation in the RFC.
(In reply to Alex Scheel from comment #1)
> Patrik / Filip,
> Do either of you know if this is fixed on the RHEL 8 builds?
It does not seem to be the case.
My test is failing in the same way as it fails with the RHEL 7 build, for which the issue was reported
> IIRC, this is a limitation in the RFC.
I did not check the RFC, but the reported problem here is not that it does not support long passwords. The problem is that it does not detects and reports the limitation with the password length.