rudat at endstelle.de
Sun Nov 13 12:30:50 CET 2011
Am 12.11.2011 23:00, schrieb Sven Hartge:
> Sven Hartge <sven at svenhartge.de> wrote:
>> Andreas Rudat <rudat at endstelle.de> wrote:
>>> Am 11.11.2011 03:56, schrieb Fajar A. Nugraha:
>>>> On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten <Ggatten at waddell.com> wrote:
>>>>> I agree with Jake, in that I *think* it would be possible to have a
>>>>> plugin or whatever interface with LDAP/AD in the same manner
>>>>> ntlm_auth does. I don't think one *needs* a cleartext password,
>>>>> but does need some way to compare apples-to-apples.
>>>> That's exactly what Alan is saying: " store your passwords in the
>>>> LDAP as NT-Password or LM-Password "
>>> But if that works, why then all are saying that you can just work
>>> with plaintext? Its realy confusing.
>> NT/LM-Password is "special". This is why it works with MSCHAPv2, both
>> being a MicroSoft "invention".
> To be precise: MSCHAPv2 works with the NT/LM-Password as input to the
> Challenge-Handshake and not the "raw" cleartext password. This is why
> this works.
> FreeRADIUS converts a cleartext password into the needed NT-Hash and
> then applies this to the MSCHAPv2 handshake. Or it uses a pre-existing
> NT-Hash from LDAP/MySQL/whatever.
> Quote from http://en.wikipedia.org/wiki/NTLM
> | The NTLM protocol uses one or both of two hashed password values, both
> | of which are also stored on the server (or domain controller), and which
> | are password equivalent, meaning that if you grab the hash value from
> | the server, you can authenticate without knowing the actual password.
> This also means you have to protect those Hashes inside your database
> like a raw cleartext password, as you can authenticate to any Windows
> box with the knowledge of the NT/LM-Hash.
> This has been exploitet by several Windows trojan horses, which grabbed
> to NT-Hash from the Administrator user to login into other boxes on the
> network using the same password (or worse: the domain controller).
Ah much thanks for that clearing, so both is bad no matter which
mechnism is used.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)
-----END PGP PUBLIC KEY BLOCK-----
More information about the Freeradius-Users