On 22 Jan 2015, at 19:43, Robert Graham <robert_graham@uhaul.com> wrote:
Upgraded FR to the 3.0.x release and the password shows that it is ssha512 but where in the code does the salt get pulled from? and where do I configure it?
There is no separate salt attribute. update control { SSHA2-512-Password := "0x%{sql:query to get hash in hex concatenated with salt in hex}" } pap For salted hashes it's always <hash><salt>. The hash part is determined by the expected length of the hash. So for SHA512 the first 64 bytes of the hash/salt concatenation are assumed to be the hash, and the rest is assumed to be the salt. The code takes the salt part, creates the concatenation of <password><salt> and passes that to SHA512, the result of that is then compared to <hash>. If you can't figure out how to get the hash in hex form, the server will accept base64 as an alternative, but you should then do: update control { Password-With-Header := "{ssha512}%{sql:query to get hash concatenated with salt in base64}" } pap The PAP module will then use heuristics to determine the correct encoding (hex or base64 or none), and normalise the <hash><salt> to binary data. Note: You can't just concatenate two base64 strings. If they're stored that way in the db they would have to be separately decoded and the result concatenated. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2