<br><div class="gmail_quote">Hi all,<br><br>Is it possible to keep encrypted passwords in users file?<br><br>For e.g. test Cleartext-Password := "test"<br> Service-type = NAS-Prompt-User<br>
<br>instead of cleartext can we have encrypted passwords here.<br>
<br><br>Thanks.<br><br><br><div class="gmail_quote"><div><div></div><div class="Wj3C7c">On Thu, Mar 13, 2008 at 4:32 PM, <<a href="mailto:freeradius-users-owner@lists.freeradius.org" target="_blank">freeradius-users-owner@lists.freeradius.org</a>> wrote:<br>
</div></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><div></div><div class="Wj3C7c">
You are not allowed to post to this mailing list, and your message has<br>
been automatically rejected. If you think that your messages are<br>
being rejected in error, contact the mailing list owner at<br>
<a href="mailto:freeradius-users-owner@lists.freeradius.org" target="_blank">freeradius-users-owner@lists.freeradius.org</a>.<br>
<br>
<br><br></div></div>---------- Forwarded message ----------<br>From: "ashish verma" <<a href="mailto:ashish.scit@gmail.com" target="_blank">ashish.scit@gmail.com</a>><br>To: <a href="mailto:freeradius-users@lists.freeradius.org" target="_blank">freeradius-users@lists.freeradius.org</a><br>
Date: Thu, 13 Mar 2008 16:32:21 +0530<br>Subject: encrypted passwords in users file<br>Hi all,<br><br>Is it possible to keep encrypted passwords in users file?<br><br>For e.g. test Cleartext-Password := "test"<br>
Service-type = NAS-Prompt-User<br><br>instead of cleartext can we have encrypted passwords here.<br>
<br>Thanks.<br><br><br><br><div class="gmail_quote">On Tue, Oct 23, 2007 at 2:03 PM, <<a href="mailto:freeradius-users-request@lists.freeradius.org" target="_blank">freeradius-users-request@lists.freeradius.org</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Send Freeradius-Users mailing list submissions to<br>
<a href="mailto:freeradius-users@lists.freeradius.org" target="_blank">freeradius-users@lists.freeradius.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.freeradius.org/mailman/listinfo/freeradius-users" target="_blank">http://lists.freeradius.org/mailman/listinfo/freeradius-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:freeradius-users-request@lists.freeradius.org" target="_blank">freeradius-users-request@lists.freeradius.org</a><br>
<br>
You can reach the person managing the list at<div class="Ih2E3d"><br>
<a href="mailto:freeradius-users-owner@lists.freeradius.org" target="_blank">freeradius-users-owner@lists.freeradius.org</a><br>
<br></div>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Freeradius-Users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Are SHA-256 certificates supported? (<a href="mailto:hannu.lammi@wipsl.com" target="_blank">hannu.lammi@wipsl.com</a>)<br>
2. Re: Freeradius doesn't detect EAP when authenticating against<br>
MySQL (Alan DeKok)<br>
3. Re: TTLS with Mutual Authentication (Alan DeKok)<br>
4. Re: Are SHA-256 certificates supported? (Alan DeKok)<br>
5. FreeRADIUS and SNMP questions (Geoffroy Arnoud)<br>
6. Re: Freeradius doesn't detect EAP when authenticating against<br>
MySQL (primoz)<br>
7. Re: FreeRADIUS and SNMP questions (Alan DeKok)<br>
8. Re: Freeradius doesn't detect EAP when authenticating against<br>
MySQL (Alan DeKok)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Tue, 23 Oct 2007 10:10:05 +0300 (EEST)<br>
From: <a href="mailto:hannu.lammi@wipsl.com" target="_blank">hannu.lammi@wipsl.com</a><br>
Subject: Are SHA-256 certificates supported?<br>
To: <a href="mailto:freeradius-users@lists.freeradius.org" target="_blank">freeradius-users@lists.freeradius.org</a><br>
Message-ID: <<a href="mailto:14671.192.100.116.143.1193123405.squirrel@mail.wipsl.com" target="_blank">14671.192.100.116.143.1193123405.squirrel@mail.wipsl.com</a>><br>
Content-Type: text/plain;charset=utf-8<br>
<br>
Hi,<br>
<br>
I need to set up a RADIUS server that accepts certificates which use<br>
SHA-256 as signature algorithm (OID sha256WithRSAEncryption). I have set<br>
up a FreeRADIUS 2.0.0-pre2 server to see if this would work out of the<br>
box.<br>
<br>
After verifying that EAP-TLS authentication works with SHA-1 certificates<br>
I switched to SHA-256 certificate that was created with OpenSSL 0.9.8b,<br>
the same that FreeRADIUS was compiled against.<br>
<br>
Here's a snippet of the log I got from my SHA-256 test:<br>
<br>
=====<br>
--> verify error:num=7:certificate signature failure<br>
rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error<br>
TLS Alert write:fatal:decrypt error<br>
TLS_accept:error in SSLv3 read client certificate B<br>
rlm_eap: SSL error error:0D0C50A1:asn1 encoding<br>
routines:ASN1_item_verify:unknown message digest algorithm<br>
=====<br>
<br>
It would seem there's a problem somewhere. It may very well be in the<br>
client I'm using.<br>
<br>
So, I'd like to know if FreeRADIUS supports SHA-256 certificates?<br>
If it doesn't, is the support for them planned?<br>
<br>
thanks in advance,<br>
- Hannu<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Tue, 23 Oct 2007 09:12:03 +0200<br>
From: Alan DeKok <<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>><br>
Subject: Re: Freeradius doesn't detect EAP when authenticating against<br>
MySQL<br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org" target="_blank">freeradius-users@lists.freeradius.org</a>><br>
Message-ID: <<a href="mailto:471D9EC3.4090609@deployingradius.com" target="_blank">471D9EC3.4090609@deployingradius.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
preem wrote:<br>
> So, what is a common practice to do this then?<br>
<br>
It's not.<br>
<br>
People store MD5 or crypt'd passwords when the ONLY authentication<br>
they're doing is PAP. i.e. Unix logins, where the user supplies a<br>
clear-text password to the authentication system.<br>
<br>
For many EAP types, people do NOT store MD5 or crypt'd passwords,<br>
because they're useless.<br>
<br>
> I understand its not very<br>
> safe nor sane to store passwords in clear text, thats why I wanted to avoid<br>
> that, however it seems inevitable.<br>
<br>
It is safe, sane, and common practice to store passwords in clear text.<br>
<br>
> I am managing a wired network for some 300 users, its a student dorm and the<br>
> university owns the network and they require authentication for the ease of<br>
> management and control. 802.1x felt like the right way to go, because we are<br>
> planning some wireless access points as well. There are HP's Procurve 2650<br>
> switches in use. I choose mysql db backend, because I also created set of<br>
> PHP scripts, where users can change their passwords and admin can<br>
> add/del/modify user info.<br>
> So what can one do to avoid storing passes in clear text or is it sane<br>
> enough? The server also serves some web pages and dhcp requests.<br>
<br>
Ensure that no one has physical access to the system storing the<br>
passwords. Ensure that no one has network access to the system storing<br>
the passwords.<br>
<br>
I would also suggest running the RADIUS server and/or the MySQL server<br>
with passwords on a separate machine from the web/dhcp server. That<br>
way, if someone breaks into the web server, they won't have access to<br>
the passwords.<br>
<br>
Alan DeKok.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Tue, 23 Oct 2007 09:23:50 +0200<br>
From: Alan DeKok <<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>><br>
Subject: Re: TTLS with Mutual Authentication<br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org" target="_blank">freeradius-users@lists.freeradius.org</a>><br>
Message-ID: <<a href="mailto:471DA186.5030601@deployingradius.com" target="_blank">471DA186.5030601@deployingradius.com</a>><br>
Content-Type: text/plain; charset=UTF-8<br>
<br>
Zolotov, Eyal wrote:<br>
> By ?mutual authentication? I refer to the following authentication process:<br>
><br>
> 1. The client authenticate the server<br>
<br>
Give the client the CA cert used to sign the server cert.<br>
<br>
> 2. The server authenticate the client<br>
<br>
Create a client cert, signed by the server cert.<br>
<br>
> 3. Only than ? the clients sends username + password using MSCHAPv2<br>
<br>
In unlang, set:<br>
<br>
update control {<br>
EAP-TLS-Require-Client-Cert = yes<br>
}<br>
<br>
This forces the server to validate the client cert, which is normally<br>
not required for TTLS.<br>
<br>
Alan DeKok.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Tue, 23 Oct 2007 09:25:33 +0200<br>
From: Alan DeKok <<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>><br>
Subject: Re: Are SHA-256 certificates supported?<br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org" target="_blank">freeradius-users@lists.freeradius.org</a>><br>
Message-ID: <<a href="mailto:471DA1ED.9050806@deployingradius.com" target="_blank">471DA1ED.9050806@deployingradius.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
<a href="mailto:hannu.lammi@wipsl.com" target="_blank">hannu.lammi@wipsl.com</a> wrote:<br>
> I need to set up a RADIUS server that accepts certificates which use<br>
> SHA-256 as signature algorithm (OID sha256WithRSAEncryption). I have set<br>
> up a FreeRADIUS 2.0.0-pre2 server to see if this would work out of the<br>
> box.<br>
<br>
If OpenSSL supports it, AND the client supplicant supports it, it<br>
should work.<br>
<br>
> Here's a snippet of the log I got from my SHA-256 test:<br>
><br>
> =====<br>
> --> verify error:num=7:certificate signature failure<br>
> rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error<br>
> TLS Alert write:fatal:decrypt error<br>
> TLS_accept:error in SSLv3 read client certificate B<br>
> rlm_eap: SSL error error:0D0C50A1:asn1 encoding<br>
> routines:ASN1_item_verify:unknown message digest algorithm<br>
<br>
That would seem to be an SSL issue.<br>
<br>
> So, I'd like to know if FreeRADIUS supports SHA-256 certificates?<br>
> If it doesn't, is the support for them planned?<br>
<br>
FreeRADIUS doesn't support SSL. It uses OpenSSL, which *does* support<br>
SSL. So if there are SSL issues, find out why OpenSSL doesn't like the<br>
TLS session.<br>
<br>
Alan DeKok.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 5<br>
Date: Tue, 23 Oct 2007 10:04:23 +0200 (CEST)<br>
From: Geoffroy Arnoud <<a href="mailto:garnoud@yahoo.co.uk" target="_blank">garnoud@yahoo.co.uk</a>><br>
Subject: FreeRADIUS and SNMP questions<br>
To: FreeRADIUS users <<a href="mailto:freeradius-users@lists.freeradius.org" target="_blank">freeradius-users@lists.freeradius.org</a>><br>
Message-ID: <<a href="mailto:626622.60897.qm@web27314.mail.ukl.yahoo.com" target="_blank">626622.60897.qm@web27314.mail.ukl.yahoo.com</a>><br>
Content-Type: text/plain; charset=iso-8859-1<br>
<br>
Hi all,<br>
<br>
I have 2 questions regarding FreeRADIUS and SNMP:<br>
<br>
1/ Is it possible to run 2 FreeRADIUS servers on the<br>
same box, with SNMP support activated? I understand<br>
it's possible, using distinct values for smux_password<br>
parameter.<br>
<br>
2/ Connecting FreeRADIUS to Net-SNMP using SMUX is<br>
quite easy. Has anyone connected FreeRADIUS with BMC<br>
PAtrol agent using SMUX?<br>
<br>
Thanks for any answer<br>
<br>
Geoff.<br>
<br>
<br>
_____________________________________________________________________________<br>
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail<br>
<br>
<br>
------------------------------<br>
<br>
Message: 6<br>
Date: Tue, 23 Oct 2007 10:08:22 +0200<br>
From: primoz <<a href="mailto:primski@gmail.com" target="_blank">primski@gmail.com</a>><br>
Subject: Re: Freeradius doesn't detect EAP when authenticating against<br>
MySQL<br>
To: "FreeRadius users mailing list"<br>
<<a href="mailto:freeradius-users@lists.freeradius.org" target="_blank">freeradius-users@lists.freeradius.org</a>><br>
Message-ID:<br>
<<a href="mailto:ead364dc0710230108u752b2593h4a7885ca04e61ce7@mail.gmail.com" target="_blank">ead364dc0710230108u752b2593h4a7885ca04e61ce7@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
On 10/23/07, Alan DeKok <<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>> wrote:<br>
><br>
> preem wrote:<br>
> > So, what is a common practice to do this then?<br>
><br>
> It's not.<br>
><br>
> People store MD5 or crypt'd passwords when the ONLY authentication<br>
> they're doing is PAP. i.e. Unix logins, where the user supplies a<br>
> clear-text password to the authentication system.<br>
<br>
<br>
<br>
And PAP is not very safe and smart way to go as i read it.<br>
<br>
For many EAP types, people do NOT store MD5 or crypt'd passwords,<br>
> because they're useless.<br>
<br>
<br>
<br>
So, crypted passwords are usefull only in web applications? I read a lot<br>
lately about, how one should never store passwords in clear text, i guess<br>
that applies only to web apps.<br>
<br>
> I understand its not very<br>
> > safe nor sane to store passwords in clear text, thats why I wanted to<br>
> avoid<br>
> > that, however it seems inevitable.<br>
><br>
> It is safe, sane, and common practice to store passwords in clear text.<br>
<br>
<br>
<br>
I do not have many experience with this, in fact its my first project on the<br>
matter.<br>
<br>
> I am managing a wired network for some 300 users, its a student dorm and<br>
> the<br>
> > university owns the network and they require authentication for the ease<br>
> of<br>
> > management and control. 802.1x felt like the right way to go, because we<br>
> are<br>
> > planning some wireless access points as well. There are HP's Procurve<br>
> 2650<br>
> > switches in use. I choose mysql db backend, because I also created set<br>
> of<br>
> > PHP scripts, where users can change their passwords and admin can<br>
> > add/del/modify user info.<br>
> > So what can one do to avoid storing passes in clear text or is it sane<br>
> > enough? The server also serves some web pages and dhcp requests.<br>
><br>
> Ensure that no one has physical access to the system storing the<br>
> passwords. Ensure that no one has network access to the system storing<br>
> the passwords.<br>
<br>
<br>
<br>
That will be no problem, since I'm the only one with physical access.<br>
<br>
I would also suggest running the RADIUS server and/or the MySQL server<br>
> with passwords on a separate machine from the web/dhcp server. That<br>
> way, if someone breaks into the web server, they won't have access to<br>
> the passwords.<br>
<br>
<br>
I am using VMWare server, so that won't require much work.<br>
<br>
Alan DeKok.<br>
> -<br>
> List info/subscribe/unsubscribe? See<br>
> <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
<br>
<br>
<br>
Thanks again, for clearing this up.<br>
<br>
primski<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="https://lists.freeradius.org/pipermail/freeradius-users/attachments/20071023/4d843567/attachment-0001.html" target="_blank">https://lists.freeradius.org/pipermail/freeradius-users/attachments/20071023/4d843567/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 7<br>
Date: Tue, 23 Oct 2007 10:28:52 +0200<br>
From: Alan DeKok <<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>><br>
Subject: Re: FreeRADIUS and SNMP questions<br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org" target="_blank">freeradius-users@lists.freeradius.org</a>><br>
Message-ID: <<a href="mailto:471DB0C4.3030305@deployingradius.com" target="_blank">471DB0C4.3030305@deployingradius.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
Geoffroy Arnoud wrote:<br>
> 1/ Is it possible to run 2 FreeRADIUS servers on the<br>
> same box, with SNMP support activated? I understand<br>
> it's possible, using distinct values for smux_password<br>
> parameter.<br>
<br>
I'm not sure. FreeRADIUS tries to grab the IETF RADIUS SNMP OID<br>
space. If there are two servers, they may conflict with their OID<br>
registration.<br>
<br>
Perhaps it would be useful to *also* export the IETF SNMP space under<br>
a configurable hierarchy?<br>
<br>
> 2/ Connecting FreeRADIUS to Net-SNMP using SMUX is<br>
> quite easy. Has anyone connected FreeRADIUS with BMC<br>
> PAtrol agent using SMUX?<br>
<br>
Not me, sorry.<br>
<br>
Alan DeKok.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 8<br>
Date: Tue, 23 Oct 2007 10:32:48 +0200<br>
From: Alan DeKok <<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>><br>
Subject: Re: Freeradius doesn't detect EAP when authenticating against<br>
MySQL<br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org" target="_blank">freeradius-users@lists.freeradius.org</a>><br>
Message-ID: <<a href="mailto:471DB1B0.1000409@deployingradius.com" target="_blank">471DB1B0.1000409@deployingradius.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
primoz wrote:<br>
> And PAP is not very safe and smart way to go as i read it.<br>
<br>
PAP is fine for RADIUS.<br>
<br>
> So, crypted passwords are usefull only in web applications?<br>
<br>
That's not at all what I said. I specifically mentioned Unix logins.<br>
Crypt'd passwords are useful only for PAP. There are many, many, kinds<br>
of systems using clear-text passwords (i.e. PAP) for authentication.<br>
<br>
> I read a lot<br>
> lately about, how one should never store passwords in clear text, i<br>
> guess that applies only to web apps.<br>
<br>
No. It's written by people who either don't understand security, OR<br>
aren't using EAP methods. Again, if all you're doing is PAP, then<br>
crypt'd passwords are OK. If you need EAP, you also need clear-text<br>
passwords.<br>
<br>
Stop trying to apply comments from web application "how-to's" to<br>
RADIUS. They're not the same, and the security analysis is not the same.<br>
<br>
> It is safe, sane, and common practice to store passwords in clear<br>
> text.<br>
><br>
> I do not have many experience with this, in fact its my first project on<br>
> the matter.<br>
<br>
Then why are you questioning the answers you get here?<br>
<br>
Alan DeKok.<br>
<br>
<br>
------------------------------<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
<br>
<br>
End of Freeradius-Users Digest, Vol 30, Issue 82<br>
************************************************<br>
</blockquote></div><br>
<br></blockquote></div><br>
</div><br>