LDAP/MSCHAP

Phil Mayers p.mayers at imperial.ac.uk
Fri Nov 11 08:54:30 CET 2011


On 11/10/2011 11:36 PM, Sallee, Stephen (Jake) wrote:
> Please forgive the interjection, but does anyone know of a helper
> module like ntlm_auth that would work with LDAP, seems like such a
> tool would make questions like this a non-issue.

MSCHAP is a challenge-response mechanism. To execute the cryptographic 
calculation, you MUST have access to the NT or LM hashes of the users 
password.

It's unclear to me what kind of "helper" module you're envisaging; 
perhaps a USB-attached quantum computer that can crack the crypto in 
realtime ;o)

In all seriousness - there's nothing to "help" here. People wanting to 
do MSCHAP must have either:

  1. The NT or LM hashes
  2. The cleartext password, to generate the NT/LM hashes
  3. Access to a system which will perform the MSCHAP crypto for them 
(i.e. a domain controller, access via samba/ntlm_auth)

This is by design - the cryptographic properties of MSCHAP were created 
intentionally to make this the case.



More information about the Freeradius-Users mailing list