Storing hashes in MySQL when using MS_CHAP

Yuriy Grishin grishin-mailing-lists at minselhoz.samara.ru
Tue Mar 17 20:02:19 CET 2009


Alan DeKok wrote:
> Yuriy Grishin wrote:
>   
>> Hello,
>>
>>    I'm trying to conceal plain-text passwords from my radius.radcheck
>> database in order to it'll be useless if it's stolen.
>>     
>
>   That's admirable, but generally useless.  And often counter-productive.
>
>   
You bet, I've spent all the day and the result is 0.
>> |  1 | user1    | Password-With-Header | := |
>> {md5}c4ca4238a0b923820dcc509a6f75849b |
>>     
>
>   MD5 hashed passwords...
>
>   
Yes. I did it that way :
mysql> ....Value=concat('{md5}', md5('1')) where ...;
>> and raduis -X said :
>>     
> ...
>   
>> modcall: leaving group authorize (returns ok) for request 0
>>  rad_check_password:  Found Auth-Type CHAP
>>     
>
>   ... are incompatible with CHAP.
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
>   What you want to do is impossible.  You MUST have the clear-text
> passwords in the DB in order to do CHAP.
>
>   
I suspected that it's impossible so I asked a good (correct) question.
>> It that possible to get hashed passwords together with MS_CHAP?
>>     
>
>   You are doing CHAP, not MS-CHAP.  They are very different.
>   

Yeah, you're right I'm doing CHAP.

Thanks a lot for the explanation!



More information about the Freeradius-Users mailing list