Sven Hartge <sven@svenhartge.de> wrote:
Andreas Rudat <rudat@endstelle.de> wrote:
Am 11.11.2011 03:56, schrieb Fajar A. Nugraha:
On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten <Ggatten@waddell.com> wrote:
I agree with Jake, in that I *think* it would be possible to have a plugin or whatever interface with LDAP/AD in the same manner ntlm_auth does. I don't think one *needs* a cleartext password, but does need some way to compare apples-to-apples. That's exactly what Alan is saying: " store your passwords in the LDAP as NT-Password or LM-Password "
But if that works, why then all are saying that you can just work with plaintext? Its realy confusing.
NT/LM-Password is "special". This is why it works with MSCHAPv2, both being a MicroSoft "invention".
To be precise: MSCHAPv2 works with the NT/LM-Password as input to the Challenge-Handshake and not the "raw" cleartext password. This is why this works. FreeRADIUS converts a cleartext password into the needed NT-Hash and then applies this to the MSCHAPv2 handshake. Or it uses a pre-existing NT-Hash from LDAP/MySQL/whatever. Quote from http://en.wikipedia.org/wiki/NTLM ,---- | The NTLM protocol uses one or both of two hashed password values, both | of which are also stored on the server (or domain controller), and which | are password equivalent, meaning that if you grab the hash value from | the server, you can authenticate without knowing the actual password. `---- This also means you have to protect those Hashes inside your database like a raw cleartext password, as you can authenticate to any Windows box with the knowledge of the NT/LM-Hash. This has been exploitet by several Windows trojan horses, which grabbed to NT-Hash from the Administrator user to login into other boxes on the network using the same password (or worse: the domain controller). Grüße, S° -- Sigmentation fault. Core dumped.