Storing hashes in MySQL when using MS_CHAP

Yuriy Grishin grishin-mailing-lists at minselhoz.samara.ru
Tue Mar 17 18:19:01 CET 2009


Hello,

    I'm trying to conceal plain-text passwords from my radius.radcheck 
database in order to it'll be useless if it's stolen.
My config is FreeBSD 7.0 + FreeRadius1.1.7 + mpd4 + MySQL-5.0.67 
(windowsXP and Vista Clients)
Well, I found a solution here 
http://www.usenet-forums.com/freeradius-users/280602-re-freeradius-mysql-crypt-passwrd-radcheck-table.html 
written by Alan DeKok.

But I haven't got it working.
radcheck was :
+----+----------+----------------------+----+---------------------------------------+
| id | UserName | Attribute            | op | 
Value                                 |
+----+----------+----------------------+----+---------------------------------------+
|  1 | user1    | Password-With-Header | := | 
{md5}c4ca4238a0b923820dcc509a6f75849b |

and raduis -X said :

rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 0
  rlm_chap: login attempt by "user1" with CHAP password
  rlm_chap: Could not find clear text password for user user1
  modcall[authenticate]: module "chap" returns invalid for request 0
modcall: leaving group CHAP (returns invalid) for request 0
auth: Failed to validate the user.

radiusd's searching a plain-text password.
Then I googled a little bit more and found a combination with  
Attribute='Auth-Type' and  Value='Crypt-Local', generated a hash using
$ openssl passwd -1 1
$1$HR1R2p.2$7tsK8wE30pDf6AQ6KEi6d/

Unfortunately, it doesn't work too..

It that possible to get hashed passwords together with MS_CHAP?

--
Yuriy Grishin.



More information about the Freeradius-Users mailing list