Creating an NT-Password value with python

jon michaels joniamasad at gmail.com
Sat Nov 21 15:15:33 CET 2009 

Thanks for your quick response, Bjørn.

On Sat, Nov 21, 2009 at 4:09 PM, Bjørn Mork <bjorn at mork.no> wrote:
>> I then proceed to add the user in mysql:
>> insert into radcheck (username,attribute,value,op) values
>> ('testuser','NT-Password','\xdb4mi\x1dz\xccM\xc2b]\xb1\x9f\x9e?R',':=');
>
> You'll have to insert the actual octets as produced by
> create_NT_hashed_password_v1 and not the weird display format used by
> python for printing the unprintable.
>
> If you insert
>
> mysql> insert into radcheck (username,attribute,value,op) values
>    -> ('testuser','NT-Password','\xdb4mi\x1dz\xccM\xc2b]\xb1\x9f\x9e?R',':=');
> Query OK, 1 row affected (0.00 sec)
>
> then you get:
>
>
> mysql> select * from radcheck;
> +----+----------+-------------+----+--------------------------------+
> | id | username | attribute   | op | value                          |
> +----+----------+-------------+----+--------------------------------+
> |  1 | testuser | NT-Password | := | xdb4mix1dzxccMxc2b]xb1x9fx9e?R |
> +----+----------+-------------+----+--------------------------------+
> 1 row in set (0.00 sec)
>
>
> which is invalid.
>
> I suggest you use python to insert the value into mysql, *as it is
> returned* from create_NT_hashed_password_v1.
>
> For testing, you can probably get away with something like
> mysql> insert into radcheck (username,attribute,value,op) values ('testuser','NT-Password', concat(0xdb, "4mi", 0x1d, "z", 0xcc, "M", 0xc2, "b]", 0xb1, 0x9f, 0x9e, "?R"),':=');

I tried your example, and did the same using python

My user entries look like this now:
| 13 | tester   | NT-Password          | := | ?4miz?M?b]????R
         |
| 12 | testuser | NT-Password        | := | ?4miz?M?b]????R                   |

Radius also seems to like this a lot more than the initial test. It now shows

[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] Told to do MS-CHAPv2 for testuser with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect

vs

[mschap] Invalid NT-Password

shown during the first attempt.

However, I didn't manage to authenticate either of the two. It seems
that so far radius likes the value enough to not complain that its
invalid. Is the format correct, or is there something else i need to
change in my configuration for the MS-CHAPv2 response to be correct?

Cheers,

Jon.

More information about the Freeradius-Users mailing list