Re: encrypted password

Felipe Ceglia - PY1NB <felipe-listas@terenet.com.br> · Wed, 13 Jun 2007 08:50:10 -0300

Hi there,

Thank you for your replies, but I cannot manage to make this crypt thing 

work.

I dont have the " on the databse, it looks like:

mysql> select * from radcheck where username = 'anavc';
+----+----------+----------------+---------------+----+
| id | UserName | Attribute      | Value         | op |
+----+----------+----------------+---------------+----+
|  4 | anavc    | Crypt-Password | 9D8wtP7DGqgCg | := |
+----+----------+----------------+---------------+----+

This crypted passwd string is the same which works on /etc/passwd. I 

just copied/pasted it to ensure it was ok.

---------------------------------------------------------------

If you would like to see my radiusd.conf, please go to:
http://pastebin.ca/563974

---------------------------------------------------------------

When I try to put "pap" on the authorize section, server dies:

radiusd.conf: "PAP" modules aren't allowed in 'authorize' sections -- 

they have no such method.

----------------------------------------------------------------

I **think** I am sending the password string as clear text, as I am 

trying it via radtest. It seems like it first try to send cleartext 

password, and then it truncates it in someway:

radtest anavc 2572ava localhost:1645 0 teste
Sending Access-Request of id 216 to 127.0.0.1:1645
        User-Name = "anavc"
        User-Password = "2572ava"
        NAS-IP-Address = intranet
        NAS-Port = 0
Re-sending Access-Request of id 216 to 127.0.0.1:1645
        User-Name = "anavc"
        User-Password = "\336P\325\315C\261{<j\336\346\3725\203\np"
        NAS-IP-Address = intranet
        NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1645, id=216, length=20

-----------------------------------------------------------------

Thank you for being nice,

Felipe

Hmm,

You are sending the users password as plaintext or something reversible 

like GTC ?

You can only use crypted passwords if the pass-phrase is being sent in 

the clear...

Oh and you'd also need the PAP module uncommented in authorise and 

authenticate, as it's the one that deals with calculating hashes for 

comparison.