setup question : mschap + perl authentication

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Mon Jul 9 23:44:12 CEST 2007


Alan DeKok wrote:
> Johan wrote:
>   
>> I'm wondering if it's possible to authenticate a user who is using
>> mschap authentication with perl.
>>     
>
>   Sure.  Just re-write all of the MS-CHAP authentication protocol in
> rlm_mschap in Perl.
>
>   But why the heck would you want to do that?
>
>   
You know i've been thinking of doing that in PHP (PHP Based supplicant 
for weblogin via RADIUS), i'm sure it's possible... and it would be of 
some benefit, just the RFC makes my head hurt... one of the few times 
I've  regreted not studying computer science. *sigh* something to do 
with hashing the nt hash using different sha functions.

Got PAP working though thats not exactly hard... and CHAP seems very 
easy , so i'll do that tomorrow.

Have a request hash <Radius to Supplicant>
Hash this hash with a hash of the password <Supplicant>
Here have the request hash and the hash of the request hash with the 
password.. <Supplicant to Radius>
*works*

And the advantage of supporting MSChap is that you don't have to store 
your passwords in cleartext... Just NT4 or LMHash which while not much 
more secure than cleartext , looks far more impressive in a password 
database.

But yes, as Alan said, why bother implimenting the server side MSChap 
module in perl ... rlm_perl wasn't really designed for this kind of 
stuff, more for request flow control and acquiring extra attributes from 
databases and various other perly type things.

You ok Alan ? You've seemed less yeah go look at this howto / man page 
and more *stab stab* die recently ...

Sorry abundance of Guinness ...

Thanks,
Arran



More information about the Freeradius-Users mailing list