Hash/Salt password with mysql

Moataz Elmasry zaza1851983ml at googlemail.com
Thu Aug 20 23:38:20 CEST 2015 

It worked!!!! Many thanks.

The problem was, as you correctly pointed that the salt was coming out of
the db not hex encoded.

Here is the final settings of sites-enabled/default:

update control {
                Tmp-String-0 := "%{sql:SELECT hash FROM accounts_dummy
WHERE username = '%{User-Name}'}"
                Tmp-String-1 := "%{sql:SELECT salt FROM accounts_dummy
WHERE username = '%{User-Name}'}"
        }

        update control {
                SSHA-Password :=
"0x%{control:Tmp-String-0}%{control:Tmp-String-1}"
        }


Here's a nodejs function that will return the hash and the salt hex to be
used in two separate columns:

var hashSimple = function (value, salt) {

        var shasum = crypto.createHash('md5')
        shasum.update(value)
        shasum.update(salt)

        console.log("Hash encoded in hex=" + shasum.digest('hex'))
        console.log("Salt encoded in hex=" + new
Buffer(salt).toString("hex"))
}

or if someone wants to store both into the 'radcheck' table as one field as
usual instead of using this twisted way like me, then here's how to

var hashSimple = function (value, salt) {

        var shasum = crypto.createHash('md5')
        shasum.update(value)
        shasum.update(salt)

        console.log("Full hash encoded in hex=" + new Buffer.concat([
shasum.digest() , new Buffer(salt) ]).toString('hex'))
}


So it was kinda a user misunderstanding, the tutorial on:
https://www.packtpub.com/books/content/freeradius-authentication-storing-passwords
is quite good actually, but I misunderstood what really the Perl script does

Thanks and regards

On Tue, Aug 11, 2015 at 1:29 AM, Arran Cudbard-Bell <
a.cudbardb at freeradius.org> wrote:

>
> > On 10 Aug 2015, at 17:23, Moataz Elmasry <zaza1851983ml at googlemail.com>
> wrote:
> >
> > No I didn't hex encode it.
> >
> > I'm using a stock freeradius 2.1.12 coming with Ubuntu 14.04
> >
> > The table has been created as follows:
> >
> > This is the table schema
> >
> > CREATE TABLE `accounts_dummy` (
> >   `id` int(11) NOT NULL AUTO_INCREMENT,
> >   `username` varchar(45) NOT NULL,
> >   `hash` varchar(255) NOT NULL,
> >   `salt` varchar(45) NOT NULL,
> >   PRIMARY KEY (`id`),
> >   UNIQUE KEY `id_UNIQUE` (`id`)
> > ) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
> >
> >
> > And insert the user as follows
> > echo "INSERT INTO `accounts_dummy` (`id`, `username`, `hash`, `salt`)
> VALUES ('1', 'freddi', '$( echo -n "wilmaberlin" | openssl sha1)',
> 'berlin');" > insert_user.sql
> >
> > After insertion I made sure that the sha1 in the db is:
> ae5fb20004bd032779db7ecb7eda7973fa25d281
> >
>
> So you'd want:
>
>         update control {
>                 SSHA-Password :=
> "%{control:Tmp-String-0}%{hex:control:Tmp-String-1}"
>         }
>
> That way you've concatenated the digest, which is hex, with the salt,
> which is now also hex.
>
> When rlm_pap normalises the string, the buffer will contain the binary
> hash, and the cleartext salt, concatenated together.
>
> Here's what the code does:
>
> static rlm_rcode_t CC_HINT(nonnull) pap_auth_ssha(rlm_pap_t *inst, REQUEST
> *request, VALUE_PAIR *vp)
> {
>         fr_SHA1_CTX sha1_context;
>         uint8_t digest[128];
>
>         RDEBUG("Comparing with \"known-good\" SSHA-Password");
>
>         /* Attempt to convert base64 and hex, back to binary */
>         if (inst->normify) {
>                 normify(request, vp, 20);
>         }
>         if (vp->vp_length <= 20) {
>                 REDEBUG("\"known-good\" SSHA-Password has incorrect
> length");
>                 return RLM_MODULE_INVALID;
>         }
>
>         /* Run the password we received from the user through sha1 */
>         fr_sha1_init(&sha1_context);
>         fr_sha1_update(&sha1_context, request->password->vp_octets,
> request->password->vp_length);
>
>         /* Run any bytes after the sha1 hash through sha1 */
>         fr_sha1_update(&sha1_context, &vp->vp_octets[20], vp->vp_length -
> 20);
>         fr_sha1_final(digest, &sha1_context);
>
>         /* Compare the resulting digests */
>         if (rad_digest_cmp(digest, vp->vp_octets, 20) != 0) {
>                 REDEBUG("SSHA digest does not match \"known good\"
> digest");
>                 return RLM_MODULE_REJECT;
>         }
>
>         return RLM_MODULE_OK;
> }
>
> Repeated calls to fr_sha1_update are the same as if you'd fed the
> concatenated string into sha1.
>
> If your salt is not hex armoured, the normalisation code is going to see
> the string contains non hex chars, and assume its in its binary/cleartext
> form already.
>
> If this still doesn't work, please post the output (radiusd -X)
>
> -Arran
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS development team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
>

More information about the Freeradius-Users mailing list