PAP password check

mic night micnight at lavabit.com
Tue May 10 16:44:28 CEST 2011


Hello,

I have a freeradius server that i use to authenticate users before they 
access network switches. user passwords reside in an ldap directory with 
the following attributes and formats:

userPassword: (CRYPT password)
sambaNTPassword: (NT Hash)
sambaLMPassword: (LM hash)

PAP is choosing automaticaly the NT encryption to validate the password. 
Is there a way to force PAP to use the userPassword with the CRYPT 
encryption?

PS: i have to keep sambaNTPassword and sambaLMPassword along with 
userPassword as check items for other use scenarii.

i'll post the relevant part of my radius log file in case it helps, 
thank you.

[ldap] looking for check items in directory...
   [ldap] userPassword -> Password-With-Header == 
"{CRYPT}$1$$xkbzS/dF4YU/JKyjA5.36."
   [ldap] sambaNtPassword -> NT-Password == 
0x4539463933393235373938463136464345394639333932353739384631364642
   [ldap] sambaLmPassword -> LM-Password == 
0x4243333041323738464338383546424538393735438383546424538393735456
   [ldap] userPassword -> User-Password == 
"{CRYPT}$1$$xkbzS/dF4YU/JKyjA5.36."
[ldap] looking for reply items in directory...
[ldap] user theUser authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "thepassword"
[pap] Using NT encryption.
[pap]   expand: %{User-Password} -> thepassword
[pap] NT-Hash of thepassword = e9f93925798f16fc4c9f93925798f1
[pap]   expand: %{mschap:NT-Hash %{User-Password}} -> 
e9f93925798f16fc4c9f93925798f1
[pap] User authenticated successfully






More information about the Freeradius-Users mailing list