Help: PAP with Sha1
Hi, I am using free-radius-2.1.12. I see that radius uses MD5 for encoding/decoding passwords. I am using PAP authentication. In my radius client I changed encoding to SHA1; due to which radius started rejecting auth requests saying password mismatch from rlm_pap which is obvious. I tried changing few things in lib/radius.c to SHA1 but with no success. I ran radiusd with -X option and I saw following:With MD5 from client: User-Name = "vishal" Calling-Station-Id = "00-23-68-0F-1A-E6" NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Service-Type = Framed-User NAS-IP-Address = 127.0.0.1 NAS-Identifier = "ap7131-0F1AE6" NAS-Port-Id = "0" User-Password = "vishal123" With SHA1 from client: User-Name = "vishal" Calling-Station-Id = "00-23-68-0F-1A-E6" NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Service-Type = Framed-User NAS-IP-Address = 127.0.0.1 NAS-Identifier = "ap7131-0F1AE6" NAS-Port-Id = "0" User-Password = "\356Ew\2310\347\326\367h\r1\223,\224\024\352\027\241>5" Alan Dekok just informed me that RADIUS uses MD5 and it can't be changed (thanks ALAN). And I don't want to go against protocol. But as I have spent almost a week in finding a location where RADIUS decodes the password received from client. Please can somebody point me the place where this happens. Thanks and Regards, Vishal Kotalwar, Bangalore-35. 09900055647.
I will unsubscribe you from this list, too. You were told that it was NOT appropriate to ask these questions here. You are changing RADIUS in ways that are incompatible with RADIUS, useless, and have zero additional security. Sending me private messages saying "And next time write your code in a simpler way." is rude. It's *your* problem to understand code you're editing. If you can't, don't blame the authors. Blame the readers. Alan DeKok.
On 04/20/2012 11:46 AM, vishal_nitr wrote:
But as I have spent almost a week in finding a location where RADIUS decodes the password received from client.
That's embarrassing, I found it in about 2 minutes. If you understand how the protocol works it will be obvious (hint: it involves something called a secret and uses something called MD5). But as Alan said, you can't change the protocol so what's the point? -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
participants (3)
-
Alan DeKok -
John Dennis -
vishal_nitr