Hi list,
Is it possible to add additional password encryption options to FreeRADIUS so that the user database can be used as a user/password store (For instance PBKDF2 or scrypt)?
Yeah, some guy submitted code to do that, but it was awful.
When I look at "man rlm_pap", the amount of encryption options for passwords are limited when FreeRADIUS is your only user database. I'm creating a POC where users can register for an account to use certain services (accessible via radius authentication) and I'm trying to only use the FreeRADIUS mysql database as a backend to keep it simple, but the password encryption methods aren't considered secure by today's standards.
What, salted SHA512 isn't considered secure by todays standards?
If you don't mind providing some test output PBKDF2 i'll see if I can fix the code I have to not be terrible...
I'm using Python Passlib to generate the below output (https://pypi.python.org/pypi/passlib). The author of Passlib recommends to use bcrypt, sha512_crypt or pbkdf2_sha512 in applications these days. On Ubuntu: sudo apt-get python-passlib python3-passlib
from passlib.hash import bcrypt bcrypt.encrypt('password123') '$2a$12$G1gi54hD.9y4ws4Bcg94n.kGKM/R8CEtqVNGczNAzzwc6gN9NhAjC' bcrypt.encrypt('password123', salt='G1gi54hD.9y4ws4Bcg94n.', rounds=12) '$2a$12$G1gi54hD.9y4ws4Bcg94n.kGKM/R8CEtqVNGczNAzzwc6gN9NhAjC'
from passlib.hash import pbkdf2_sha512 pbkdf2_sha512.encrypt('password123') '$pbkdf2-sha512$25000$X.tdS.l9j9Ham/Meg7C2lg$YPo7a7kJQyqDHzDnkfS/0mWZibLOIOcTPCZtuK454VQtDRw0Q3mBkUWqRy1av5N/bpU.ohuN2ucMyl3ZJuAsSw'
Next version of Passlib (1.7) will have scrypt as well. What's the digest for PBKDF2 used in the code you received? Kind regards, Laurens