25.03.b.20250306.0140 - if_pppoe kernel module chap failure
-
@kprovost Sorry, I can't try that pkg as I'm on arm64. Could that be the problem? Different alignment requirements?
The password should be correct as I'm not changing any config when flipping between mpd5 and if_pppoe and back again. Always works with mpd5, always fails with if_pppoe. -
@femtosize Ah, yeah, an amd64 (and CE) kernel module won't work on arm64, of course.
I don't expect there to be alignment issues in this particular code. That's one thing that might be going wrong, but it's also possible there are issues in how the PHP passes the password via pppcfg, so it's worth checking this anyway.
I'll make an arm64 build, but that might not happen until Monday.
-
@kprovost I've figured it out. There's been a space at the start of the password since I entered it years ago. The mdp5 code path writes it to a config file with no quotes around it so it just worked.
The if_pppoe path uses it on a command line surrounded by quotes and so it fails until I remove the space.This does make me think it might be interesting if my username or password had / " or ; in it.
-
@femtosize said in 25.03.b.20250306.0140 - if_pppoe kernel module chap failure:
@kprovost I've figured it out. There's been a space at the start of the password since I entered it years ago. The mdp5 code path writes it to a config file with no quotes around it so it just worked.
The if_pppoe path uses it on a command line surrounded by quotes and so it fails until I remove the space.This does make me think it might be interesting if my username or password had / " or ; in it.
Seems like a bug to me for pfSense to inconsistently handle non-printing characters at the beginning or end of any string.
-
@femtosize Ah, thanks for figuring that out.
I'll add a Redmine for this, and a reminder to check for escaping things like " and ' and .
-
For reference: https://redmine.pfsense.org/issues/16128
-
I'm getting the same error.
My password begins with an exclamation mark.
This is on the release version of pfsense 2.8 CE
-
The proper fix would be to base64 encode the password before passing it to the command line and so avoid all the escaping issues.
The command would then do the decode before passing it to the kernel module.
In theory PPP passwords could contain all sorts of mad characters as all bytes are valid. Passing them directly as a command line argument will always be dangerous.
Having the connection not work is probably the least worst thing that could happen. -
You should probably comment on the bug report for better visibility.
-
If "if_pppoe" is enabled, PPPoE connection fails with a username containing the "$" symbol. (2.8.0-RELEASE)
The following log is output repeatedly.
if_pppoe: pppoe0: chap failure -
Have you opened a bug for that?
-
@stephenw10 This is just another example of what I tried to explain in
https://redmine.pfsense.org/issues/16128
Passing passwords as command line arguments is always going to result in failures like this.
It needs to be addressed as a security issue.I've not tried it but I bet a password with
;rm -rf /;
in it would be pretty destructive.