From zaza1851983ml@googlemail.com Sun Aug 9 20:17:32 2015 From: Moataz Elmasry To: freeradius-users@lists.freeradius.org Subject: Hash/Salt password with mysql Date: Sun, 09 Aug 2015 20:17:30 +0200 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6070582399221777567==" --===============6070582399221777567== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi all, I'm trying to configure freeradius with mysql authentication. Specifically I'm trying to use a somehow longer hash. I came upon the thread http://lists.freeradius.org/pipermail/freeradius-users/2015-January/075505.ht= ml Which explains using update control to query hash and salt from the database. It goes something like this: update control { Tmp-String-0 :=3D "%{sql:SELECT hash FROM WHERE }" Tmp-String-1 :=3D "%{sql:SELECT salt FROM
WHERE }" } update control { SSHA2-512-Password :=3D "0x%{control:Tmp-String-0}%{control:Tmp-String-1}" } This is probably a beginners question, but I don't know what to put in the where clause as I don't know which parameters are available at the time of calling this, ideally the statement will look like this: Assume table: users(id, username, hash, salt) update control { Tmp-String-0 :=3D "%{sql:SELECT hash FROM users WHERE }" Tmp-String-1 :=3D "%{sql:SELECT salt FROM users WHERE }" } Any idea how to achieve that? Sepcifically how to get the username the user is currently submitting --===============6070582399221777567==-- From a.cudbardb@freeradius.org Sun Aug 9 20:22:44 2015 From: Arran Cudbard-Bell To: freeradius-users@lists.freeradius.org Subject: Re: Hash/Salt password with mysql Date: Sun, 09 Aug 2015 14:22:38 -0400 Message-ID: <77F31020-35F1-4AE5-A158-7C755FB610AD@freeradius.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0439355162326399848==" --===============0439355162326399848== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit > > update control { > Tmp-String-0 := "%{sql:SELECT hash FROM users WHERE > }" > Tmp-String-1 := "%{sql:SELECT salt FROM users WHERE > }" > > } > WHERE username='%{User-Name}' man unlang Arran Cudbard-Bell FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 --===============0439355162326399848== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcvTWFjR1BHMiB2Mi4w LjI3CkNvbW1lbnQ6IEdQR1Rvb2xzIC0gaHR0cDovL2dwZ3Rvb2xzLm9yZwoKaVFJY0JBRUJDQUFH QlFKVng1cHVBQW9KRVArazFZS2Z0dGZLd1NNUC8zZ0N0WlJjb3JwM0hKbE1mSmhBNVIyKwo4cUNo aVhmR2dYQmtVSTZmZmlrbUNsRVBDSDFxMEpPeE9EdUoyUU94VnY4amxtc29Ib0JNTFo0VnBBTFpO TGEvClNsYVR4M24vRlNBaVV5NVFBaWUzc3l4d1pERkJidDBnZ1VkcGc2VEVhT2hlRnRsVUlRVVF3 bHJXV1kxbnJJTkYKeGljcnR1OXI3NWlHYm8yMlY2d1dOajYvb0JldEMzRUlqNG8wN0RzSVBJdy84 TTlQWmVXaCtOTlNLT2ZTeUR2RgpHanZQcmdFMEE4M2ZwLzYvK0kvK1ZlTUs0UEpHRm5Fa3g1N3Rv ZVFJdFNjbVcxbXpZUWlKU2RySktMTy9vd3NNCk1qNzh3cVRlcGp6Mmh1Vndkdi9JZEJudlN4cGEw NDQwOWJzK0dKRGRseWNJdkJLWm5ES09tOGx0dmhFVjlVK3YKTWc4ekRmMDUrVEJ4MVRXVUFvdGZt NnFwelNlVENOYU5vZDJvcHlQM0RHU1lHYXlidFA5aDI3clloZ214dWVDcgpUQzYzS3NJT01TNWpG OW5OOXZzZjhMSm9xMTY1Z0NQekw0REh6OVFRZ1g0OFpXZG1lZzlUOXJhTzI5Y3NZUmRXCnpiZXo4 MlJYZ3lFaU9nUS9BcTVHK2wxU1RaTGQ0eDhqZVJNTkFNdTFJS01nSlhkS1dwUjdNTWcxRG9yaGU3 RFYKSys3UjZSTDRmdWQ0SUs1eXFKZ0tkenRXaHMrV2l6OER5UHlRbkU4ZGlCS3RycFZBYUw1TlNS V1hVVU56V3B4WQpobDZkRTEzNzA3MTRvdnpsUGdUY0NDQ2RrTkZLbm4rYTN2WUJEWklPa1FTYW1u THJZRUpJKy9pR2hWeGlid004Cm83UXV2T0RiVmhKZmFvYW9SWURJCj0zYmh6Ci0tLS0tRU5EIFBH UCBTSUdOQVRVUkUtLS0tLQo= --===============0439355162326399848==-- From zaza1851983ml@googlemail.com Mon Aug 10 21:38:21 2015 From: Moataz Elmasry To: freeradius-users@lists.freeradius.org Subject: Re: Hash/Salt password with mysql Date: Mon, 10 Aug 2015 21:38:19 +0200 Message-ID: In-Reply-To: <77F31020-35F1-4AE5-A158-7C755FB610AD@freeradius.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3327030143140222075==" --===============3327030143140222075== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hi Arran and thanks for the quick reply Unfortunately I can't seem to get it running, getting a "[pap] Passwords don't match" error Here's the simplest example I could come up with: username: freddi password: wilma salt: berlin Then hashed the password+salt: echo -n "wilmaberlin" | openssl sha1 (stdin)= ae5fb20004bd032779db7ecb7eda7973fa25d281 In the users table, the hash is set to that sha1, while salt=berlin Then here's the configuration from sites-enabled/default: update control { Tmp-String-0 := "%{sql:SELECT hash FROM accounts WHERE username = '%{User-Name}'}" Tmp-String-1 := "%{sql:SELECT salt FROM accounts WHERE username = '%{User-Name}'}" } update control { SSHA-Password := "%{control:Tmp-String-0}%{control:Tmp-String-1}" } I removed the 0x before the password value, so that it gets normalized Any idea what I'm doing wrong? Regards and thanks On Sun, Aug 9, 2015 at 8:22 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote: > > > > update control { > > Tmp-String-0 := "%{sql:SELECT hash FROM users WHERE > > }" > > Tmp-String-1 := "%{sql:SELECT salt FROM users WHERE > > }" > > > > } > > > > WHERE username='%{User-Name}' > > man unlang > > Arran Cudbard-Bell > FreeRADIUS development team > > FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 > > --===============3327030143140222075==-- From a.cudbardb@freeradius.org Mon Aug 10 21:44:13 2015 From: Arran Cudbard-Bell To: freeradius-users@lists.freeradius.org Subject: Re: Hash/Salt password with mysql Date: Mon, 10 Aug 2015 15:44:08 -0400 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2756978828958233207==" --===============2756978828958233207== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable > On Aug 10, 2015, at 3:38 PM, Moataz Elmasry = wrote: >=20 > Hi Arran and thanks for the quick reply >=20 > Unfortunately I can't seem to get it running, getting a "[pap] Passwords do= n't match" error >=20 > Here's the simplest example I could come up with: >=20 > username: freddi > password: wilma > salt: berlin >=20 > Then hashed the password+salt: > echo -n "wilmaberlin" | openssl sha1 > (stdin)=3D ae5fb20004bd032779db7ecb7eda7973fa25d281 >=20 >=20 > In the users table, the hash is set to that sha1, while salt=3Dberlin >=20 > Then here's the configuration from sites-enabled/default: >=20 > update control { > Tmp-String-0 :=3D "%{sql:SELECT hash FROM accounts WHERE us= ername =3D '%{User-Name}'}" > Tmp-String-1 :=3D "%{sql:SELECT salt FROM accounts WHERE us= ername =3D '%{User-Name}'}" > } >=20 > update control { > SSHA-Password :=3D "%{control:Tmp-String-0}%{control:Tmp-St= ring-1}" > } >=20 > I removed the 0x before the password value, so that it gets normalized Is the salt hex encoded also when it comes out of the db? -Arran --===============2756978828958233207== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KQ29tbWVudDogR1BHVG9vbHMgLSBodHRwczov L2dwZ3Rvb2xzLm9yZwoKaVFJY0JBRUJDZ0FHQlFKVnlQOEpBQW9KRVArazFZS2Z0dGZLaFVBUUFK M1ZTb3JGbW8ycGFoQnFPTSt3T3lYTApCSGlCSUhSRFpKSXdER2ZQQWtpWGx4Wi9qL2xqbDlERjBL RWxPUWRKYk5BSmlKQXFWSHhKVHpTa0Nic0ZRSXdNCmFXb09DR1Vsc0VFQnoyR25NYVNsQlMyMjlz ODRvZEo1ajBLZFU4RkVVVy9Kc3dLQ0VSTkI2dmMzUSs2REhHOXYKY0xEMml2bnFzUGJiOXcvRHJ4 K0RMU0IvZjRDM0RaR1ZMdHV6WDZVc0d1TU5zSVBiZ2toZ0k5elZOZnJWR2RNRgpnV21qV0tuTUo4 dTJkVFA0NjJmekptNDNTWkVEa3AwN01pa2NhcmxyZGtRUFRRU09lLzY4cmt6UnZLcHBzL0ZqClFD ZGV0VXBSV2M2OE41NFduaUNmY3FxeVR2cHB0aU5peEZqc2M1bmJJOXVycXNRZFNUWXErSU4vSS80 dG92QzkKY2NGY2t1L0lwbFA1dXVQeHFJdCtPOG9jdUI0K2NNWkFEZWNKUWRuTXZObFpWM1pZamNn dXhPQjcrTGFNOXFueQpNRFJJS3NYeVQzVTN0dmJwR2RKNVFzR1N6TXg1T2hpNGJleUI2Uy9lekFG VytPTmdkME5RblBVK0kzUHBCNFUyCjJHaVhKenZhZG9scEY2YmpUeGVMNk1BNFFTcWl6MXF6T2RF ZXJWVFYwVXp3STdtbCtFNWU4UmZyazAvT2Ryd3oKakNpcmU0aThzSmhJZ1VGNW9yTGdvRHdVT0w2 T09zV1kzeVJJV2FvVFFBMlZnVW1sZG52UjN6b3lHcTY5bDFFQQpITXZta3ovQnpDejNWR2ovTkF2 REZOdEtUNVNRclNlRmswWkhTb3poSFFPb1RqbitiMEtrc1FiSmJxVW1yL0RiClhFTGJNcDJPc2hZ eEFTSnp3M2VKCj1kb01uCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============2756978828958233207==-- From zaza1851983ml@googlemail.com Mon Aug 10 23:23:03 2015 From: Moataz Elmasry To: freeradius-users@lists.freeradius.org Subject: Re: Hash/Salt password with mysql Date: Mon, 10 Aug 2015 23:23:00 +0200 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4596951166651069282==" --===============4596951166651069282== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit No I didn't hex encode it. I'm using a stock freeradius 2.1.12 coming with Ubuntu 14.04 The table has been created as follows: This is the table schema CREATE TABLE `accounts_dummy` ( `id` int(11) NOT NULL AUTO_INCREMENT, `username` varchar(45) NOT NULL, `hash` varchar(255) NOT NULL, `salt` varchar(45) NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `id_UNIQUE` (`id`) ) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; And insert the user as follows echo "INSERT INTO `accounts_dummy` (`id`, `username`, `hash`, `salt`) VALUES ('1', 'freddi', '$( echo -n "wilmaberlin" | openssl sha1)', 'berlin');" > insert_user.sql After insertion I made sure that the sha1 in the db is: ae5fb20004bd032779db7ecb7eda7973fa25d281 On Mon, Aug 10, 2015 at 9:44 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote: > > > On Aug 10, 2015, at 3:38 PM, Moataz Elmasry < > zaza1851983ml@googlemail.com> wrote: > > > > Hi Arran and thanks for the quick reply > > > > Unfortunately I can't seem to get it running, getting a "[pap] Passwords > don't match" error > > > > Here's the simplest example I could come up with: > > > > username: freddi > > password: wilma > > salt: berlin > > > > Then hashed the password+salt: > > echo -n "wilmaberlin" | openssl sha1 > > (stdin)= ae5fb20004bd032779db7ecb7eda7973fa25d281 > > > > > > In the users table, the hash is set to that sha1, while salt=berlin > > > > Then here's the configuration from sites-enabled/default: > > > > update control { > > Tmp-String-0 := "%{sql:SELECT hash FROM accounts WHERE > username = '%{User-Name}'}" > > Tmp-String-1 := "%{sql:SELECT salt FROM accounts WHERE > username = '%{User-Name}'}" > > } > > > > update control { > > SSHA-Password := > "%{control:Tmp-String-0}%{control:Tmp-String-1}" > > } > > > > I removed the 0x before the password value, so that it gets normalized > > Is the salt hex encoded also when it comes out of the db? > > -Arran > > --===============4596951166651069282==-- From a.cudbardb@freeradius.org Tue Aug 11 01:29:13 2015 From: Arran Cudbard-Bell To: freeradius-users@lists.freeradius.org Subject: Re: Hash/Salt password with mysql Date: Mon, 10 Aug 2015 19:29:07 -0400 Message-ID: <44C04221-6EEA-436B-B8C8-C92AD3BBBF56@freeradius.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7725950817563022041==" --===============7725950817563022041== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable > On 10 Aug 2015, at 17:23, Moataz Elmasry wro= te: >=20 > No I didn't hex encode it. >=20 > I'm using a stock freeradius 2.1.12 coming with Ubuntu 14.04 >=20 > The table has been created as follows: >=20 > This is the table schema >=20 > CREATE TABLE `accounts_dummy` ( > `id` int(11) NOT NULL AUTO_INCREMENT, > `username` varchar(45) NOT NULL, > `hash` varchar(255) NOT NULL, > `salt` varchar(45) NOT NULL, > PRIMARY KEY (`id`), > UNIQUE KEY `id_UNIQUE` (`id`) > ) ENGINE=3DInnoDB AUTO_INCREMENT=3D2 DEFAULT CHARSET=3Dlatin1; >=20 >=20 > And insert the user as follows > echo "INSERT INTO `accounts_dummy` (`id`, `username`, `hash`, `salt`) VALUE= S ('1', 'freddi', '$( echo -n "wilmaberlin" | openssl sha1)', 'berlin');" > i= nsert_user.sql >=20 > After insertion I made sure that the sha1 in the db is: ae5fb20004bd032779d= b7ecb7eda7973fa25d281 >=20 So you'd want: update control { SSHA-Password :=3D "%{control:Tmp-String-0}%{hex:control:Tmp-= String-1}" } That way you've concatenated the digest, which is hex, with the salt, which i= s now also hex. When rlm_pap normalises the string, the buffer will contain the binary hash, = and the cleartext salt, concatenated together. Here's what the code does: static rlm_rcode_t CC_HINT(nonnull) pap_auth_ssha(rlm_pap_t *inst, REQUEST *r= equest, VALUE_PAIR *vp) { fr_SHA1_CTX sha1_context; uint8_t digest[128]; RDEBUG("Comparing with \"known-good\" SSHA-Password"); /* Attempt to convert base64 and hex, back to binary */ if (inst->normify) { normify(request, vp, 20); } if (vp->vp_length <=3D 20) { REDEBUG("\"known-good\" SSHA-Password has incorrect length"); return RLM_MODULE_INVALID; } /* Run the password we received from the user through sha1 */ fr_sha1_init(&sha1_context); fr_sha1_update(&sha1_context, request->password->vp_octets, request->passwor= d->vp_length); /* Run any bytes after the sha1 hash through sha1 */ fr_sha1_update(&sha1_context, &vp->vp_octets[20], vp->vp_length - 20); fr_sha1_final(digest, &sha1_context); /* Compare the resulting digests */ if (rad_digest_cmp(digest, vp->vp_octets, 20) !=3D 0) { REDEBUG("SSHA digest does not match \"known good\" digest"); return RLM_MODULE_REJECT; } return RLM_MODULE_OK; } Repeated calls to fr_sha1_update are the same as if you'd fed the concatenate= d string into sha1. If your salt is not hex armoured, the normalisation code is going to see the = string contains non hex chars, and assume its in its binary/cleartext form al= ready. If this still doesn't work, please post the output (radiusd -X) -Arran Arran Cudbard-Bell FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 --===============7725950817563022041== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcvTWFjR1BHMiB2Mi4w LjI3CkNvbW1lbnQ6IEdQR1Rvb2xzIC0gaHR0cDovL2dwZ3Rvb2xzLm9yZwoKaVFJY0JBRUJDQUFH QlFKVnlUUERBQW9KRVArazFZS2Z0dGZLZ0c0UC8wazdzWHdlUmlUZVIrMlVMT2ZZUXl0agpRaTgv aUtiSXMrdGZUdWU5S2c3S2FHdTZXVzZwcDJtbjRacys5TXk4bWc4TnludS9vQjdGTkhiNU5kblNo cXpICkYzVFF2REZISmlUV0pXdFRWOWxYa2VWMEFkVm9hSXM3ZzVzcTBZOVdLNDJjeFRGOXhUMktF dllhSHJhMU9uVFQKcEx3MUR0bFdjbnJZY1RpMEZaS3hMY3BaREcwZzJCWkd5TEJaZlE5NmVUdjlt VVNibFZNNUkvMGIzMUwyN1FhaQp2WmFIY0I2S2JUSkN2ejMrY3VKOVRXS05MS092MzJuVEFBWG1J dFlQNkY2WGtwRjVHSnUzelNzQWQvaWFmc0VuCm1FbGlBaitxSFBDb1dyQzl2UzdmaXVDMSt5TDdX ZFJqTExKS3NXY0dJUFQ3STd2OWlJbDdkUnNJZHJzUWNVQnkKZm1lNlY0M0hKS0pHUnZFMjVZZnhC OXYvd0FEUXNrT2gvWUdkKzZaQzZxWDNOMkhkZnovODBJaHZZT2twTGZCTApmd0FZMllMU2MwSWd3 RkQvdkJEVjl6VllKK2IyQUtJQlcxQUZNR21HaVpLR0NmOXhyT0xFdWMvWG8wRjc2aUVTCm02VWt4 eWZEanhrV2M3YmVNb01tK01QMWxwRFF0akVIY0Mrdno5NTJtZ2YvMThDRUs0VGd5YlArakFJZ3p4 aE8KM0FXZThXNEZNMDFNbStCQjR4bkd3R3dFMGl0NktMbWNNRjMrM2NXMUZEZ0ltUk5uaXRlQVI5 OE5OYnNTWi9nRApyYmVjRW81SERSOGNVM1gwd0RPQzcyTzFRN1JreDRIVVdFWGdzTy9kU1MyWGpL RlV0Uzg0ZExydWxiSGs0V2l4ClZMMUxjd2taeW1CbG9jajhSYnRNCj1uSlRjCi0tLS0tRU5EIFBH UCBTSUdOQVRVUkUtLS0tLQo= --===============7725950817563022041==-- From zaza1851983ml@googlemail.com Thu Aug 20 23:38:24 2015 From: Moataz Elmasry To: freeradius-users@lists.freeradius.org Subject: Re: Hash/Salt password with mysql Date: Thu, 20 Aug 2015 23:38:20 +0200 Message-ID: In-Reply-To: <44C04221-6EEA-436B-B8C8-C92AD3BBBF56@freeradius.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3728371437068901553==" --===============3728371437068901553== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable It worked!!!! Many thanks. The problem was, as you correctly pointed that the salt was coming out of the db not hex encoded. Here is the final settings of sites-enabled/default: update control { Tmp-String-0 :=3D "%{sql:SELECT hash FROM accounts_dummy WHERE username =3D '%{User-Name}'}" Tmp-String-1 :=3D "%{sql:SELECT salt FROM accounts_dummy WHERE username =3D '%{User-Name}'}" } update control { SSHA-Password :=3D "0x%{control:Tmp-String-0}%{control:Tmp-String-1}" } Here's a nodejs function that will return the hash and the salt hex to be used in two separate columns: var hashSimple =3D function (value, salt) { var shasum =3D crypto.createHash('md5') shasum.update(value) shasum.update(salt) console.log("Hash encoded in hex=3D" + shasum.digest('hex')) console.log("Salt encoded in hex=3D" + new Buffer(salt).toString("hex")) } or if someone wants to store both into the 'radcheck' table as one field as usual instead of using this twisted way like me, then here's how to var hashSimple =3D function (value, salt) { var shasum =3D crypto.createHash('md5') shasum.update(value) shasum.update(salt) console.log("Full hash encoded in hex=3D" + new Buffer.concat([ shasum.digest() , new Buffer(salt) ]).toString('hex')) } So it was kinda a user misunderstanding, the tutorial on: https://www.packtpub.com/books/content/freeradius-authentication-storing-pass= words is quite good actually, but I misunderstood what really the Perl script does Thanks and regards On Tue, Aug 11, 2015 at 1:29 AM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote: > > > On 10 Aug 2015, at 17:23, Moataz Elmasry > wrote: > > > > No I didn't hex encode it. > > > > I'm using a stock freeradius 2.1.12 coming with Ubuntu 14.04 > > > > The table has been created as follows: > > > > This is the table schema > > > > CREATE TABLE `accounts_dummy` ( > > `id` int(11) NOT NULL AUTO_INCREMENT, > > `username` varchar(45) NOT NULL, > > `hash` varchar(255) NOT NULL, > > `salt` varchar(45) NOT NULL, > > PRIMARY KEY (`id`), > > UNIQUE KEY `id_UNIQUE` (`id`) > > ) ENGINE=3DInnoDB AUTO_INCREMENT=3D2 DEFAULT CHARSET=3Dlatin1; > > > > > > And insert the user as follows > > echo "INSERT INTO `accounts_dummy` (`id`, `username`, `hash`, `salt`) > VALUES ('1', 'freddi', '$( echo -n "wilmaberlin" | openssl sha1)', > 'berlin');" > insert_user.sql > > > > After insertion I made sure that the sha1 in the db is: > ae5fb20004bd032779db7ecb7eda7973fa25d281 > > > > So you'd want: > > update control { > SSHA-Password :=3D > "%{control:Tmp-String-0}%{hex:control:Tmp-String-1}" > } > > That way you've concatenated the digest, which is hex, with the salt, > which is now also hex. > > When rlm_pap normalises the string, the buffer will contain the binary > hash, and the cleartext salt, concatenated together. > > Here's what the code does: > > static rlm_rcode_t CC_HINT(nonnull) pap_auth_ssha(rlm_pap_t *inst, REQUEST > *request, VALUE_PAIR *vp) > { > fr_SHA1_CTX sha1_context; > uint8_t digest[128]; > > RDEBUG("Comparing with \"known-good\" SSHA-Password"); > > /* Attempt to convert base64 and hex, back to binary */ > if (inst->normify) { > normify(request, vp, 20); > } > if (vp->vp_length <=3D 20) { > REDEBUG("\"known-good\" SSHA-Password has incorrect > length"); > return RLM_MODULE_INVALID; > } > > /* Run the password we received from the user through sha1 */ > fr_sha1_init(&sha1_context); > fr_sha1_update(&sha1_context, request->password->vp_octets, > request->password->vp_length); > > /* Run any bytes after the sha1 hash through sha1 */ > fr_sha1_update(&sha1_context, &vp->vp_octets[20], vp->vp_length - > 20); > fr_sha1_final(digest, &sha1_context); > > /* Compare the resulting digests */ > if (rad_digest_cmp(digest, vp->vp_octets, 20) !=3D 0) { > REDEBUG("SSHA digest does not match \"known good\" > digest"); > return RLM_MODULE_REJECT; > } > > return RLM_MODULE_OK; > } > > Repeated calls to fr_sha1_update are the same as if you'd fed the > concatenated string into sha1. > > If your salt is not hex armoured, the normalisation code is going to see > the string contains non hex chars, and assume its in its binary/cleartext > form already. > > If this still doesn't work, please post the output (radiusd -X) > > -Arran > > Arran Cudbard-Bell > FreeRADIUS development team > > FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 > > --===============3728371437068901553==--