PAP/SSHA plus MS-CHAP on 2.17

Eric Swanson swanson at technologypartnerds.com
Thu Jan 14 09:18:28 CET 2010


On Wed, Jan 13, 2010 at 10:48 PM, Alan DeKok <aland at deployingradius.com> wrote:
> Eric Swanson wrote:
>> ...
>> [ldap] Added User-Password = {SSHA}i9--censored--JI in check items
>> [ldap] looking for check items in directory...
>> rlm_ldap: sambaNtPassword -> NT-Password == 0x4338--censored--4531
>> rlm_ldap: sambaLmPassword -> LM-Password == 0x4637--censored--4545
>
>  You have 3 versions of the "known good" password for the user.  Which
> one do you want to use?

Alan:

Thanks so much for getting back to me.

My intent is to use the SSHA password -- of the ones my LDAP system
must maintain, I assumed it would be the most straightforward (better
than those Windows ones anyway).

>> [pap] Using CRYPT encryption.
>
>  And the "pap" module isn't configured to use any of them.
>
>> The part that seems strange to me is that the system clearly
>> identifies the type of passwords we are using ("Normalizing
>> SSHA1-Password from base64 encoding" seems proof enough of that), but
>> a couple lines later PAP has decided to use CRYPT encryption for some
>> reason.  I can't imagine what I've done to make the system believe it
>> should use CRYPT instead of SSHA.
>
>  Check the configuration of the PAP module.

Here's my modules/pap in its entirety:

pap {
        auto_header = yes
}

I haven't found any information on other (non-deprecated) directives
that go in this file.  If there's a way to tell PAP to use the SSHA
password, I would _love_ to hear it.

There's not much to the rest of my PAP-related configuration.

In sites-available/default under the authorization section, PAP is
listed last, just like this:
        pap


In sites-available/default under the authentication section, PAP is
listed first like this:
        Auth-Type PAP {
                pap
        }

I'm excited about your note's implication that there's a way to tell
PAP which password to use.  If that's really true, I think all I need
is to be pointed to information about how to do so.

Thankx,

E.




More information about the Freeradius-Users mailing list