Re: BUG #16106: Patch - Radius secrets always gets lowercased

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Magnus Hagander <magnus@hagander.net>
Cc: Marcos David <mdavid@palantir.com>, "pgsql-bugs@lists.postgresql.org" <pgsql-bugs@lists.postgresql.org>
Date: 2019-11-12T18:07:14Z
Lists: pgsql-bugs
Magnus Hagander <magnus@hagander.net> writes:
> On Tue, Nov 12, 2019 at 10:33 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> However, while you can defeat the downcasing that way, you can't
>> bypass the truncation to NAMEDATALEN.  So it's arguably broken

> I believe the RADIUS standard doesn't actually specify the length of the
> key, so different implementations have different limits. For example
> freeradius has 48 characters, cisco has 63.

I agree that it's somewhat unlikely that truncation at 63 bytes would
matter in practical use-cases, for any of these four parameters.
Still, it's not a good thing, and the fix is trivial given that we
have a suitable function at hand already.

I'll try to improve the docs while I'm at it.

			regards, tom lane



Commits

  1. Avoid using SplitIdentifierString to parse ListenAddresses, too.

  2. Avoid downcasing/truncation of RADIUS authentication parameters.

  3. Support multiple RADIUS servers