Mircea Harapu wrote:
I'm trying to make a ssh authentication with pam_radius_auth + freeradius + ldap The problem is that radius is sending the password to ldap in clear and not crypted with CRYPT as configured in ldap module . Huh? pam_radius_auth sends the password to FreeRADIUS in the clear, because that's what it does. FreeRADIUS sends this to LDAP because LDAP doesn't understand anything else.
sending passwords in clear in a network is not secure . pam_radius_auth does have md5 crypting capabilities . that's why you need to set radius key .
PAP sends the following radius request: User-Name = "Someuser" User-Password = "somepassword" HOWEVER, the User-Password field in a radius packet is defined by RFC to be encrypted with the radius shared secret. At the radius server, the password field is decrypted and processed in plaintext inside the radius server. This is at least as secure as sending a plaintext password over the wire.
And there is NO configuration in the LDAP module to send the password in crypted form. I think you're mistaking the configuration that *reads* the password from LDAP for something else.
auto_header = yes that means that it checks for encryption types .
I think Alan, as the main FreeRadius developer, is probably aware of that feature. He is aware that it does NOT do what you claim. "auto_header" is responsible for detecting the {type} header when the userPassword attribute is *read from* the LDAP server. The {type} field is stripped, and used to put the following value into the correct radius config attribute e.g. * {clear} -> User-Password * {crypt} -> Crypt-Password * {ssha} -> SSHA-Password ...and so on. *Then* the radius server processes a PAP request like so: 1. request comes in User-Name = foo User-Password = encrypted_with_radius_secret(bar) 2. authorize section is run 2a. ldap module is run - userPassword: {crypt}baAP5K9PT1lcc 2b. auto_header puts "Crypt-Password = baAP5K9PT1lcc" into config items 3. authenticate is run - Auth-Type = Local 3b. The radius server sees that Crypt-Password is set and does: if (crypt(User-Password, 'ba')=='baAP5K9PT1lcc') auth_ok; I hope that is clear. Your original mail stated:
I'm trying to make a ssh authentication with pam_radius_auth + freeradius + ldap The problem is that radius is sending the password to ldap in clear and not crypted with CRYPT as configured in ldap module .
As Alan tried to explain to you, pam_auth_radius is doing nothing wrong. What is undoubtedly happening is that you have the radius server configured incorrectly. I suspect you want it to do this: 1. request comes in 2. fetch password from ldap 3. compare crypted password from LDAP with password supplied I suspect what it's actually doing is: 1. request comes in 2. ldap searched for user - found 3. password is checked by doing LDAP simple bind If you want the first, configure the radius server to do that. Hint: see the "set_auth_type = no" option on recent versions of the server, or have the users file read: DEFAULT Auth-Type := Local Or, be more clear about what the problem is. "It doesn't work how I think it should" does not help, especially when you are wrong in your assumptions.