W dniu 26.10.2021 o 19:09, Alan DeKok pisze:
On Oct 26, 2021, at 12:51 PM, Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> wrote:adius-chap/
For better GDPR compliance and security I'd like to recommend using NT-Password for authentication (sambaNTPassword in LDAP).
All 8-character NT hashes can be cracked fairly quickly:
Indeed, it can be easily cracked, but NT-Password is stored as 32-character long MD4 hash and at least needs some effort to be cracked. I never recommended using eight-character Windows NTLM passwords and wonder if they will work for MSCHAP auth.
These passwords stored as NThashes are fully compliant with MSCHAP authentication, but you have to store them in LDAP (or even database), so you have to store and chage both: SHA hashed userPassword and NT hashed sambaNTPassword for each user. The drawback is that such a solution requires 3rd party password updating tool for LDAP.
My choice would be (in order)
* use whatever is mandated by your DB, because you don't have a choice e.g. NT hashes for Active Directory
* some crypt'd / salted format. Whatever it is doesn't matter, so long as it's relatively recent
* clear-text passwords
If you're not using AD, then NT hashes are *slightly* better than clear-text passwords. But any additional security is little more than an illusion. If someone gets access to the password DB, then NT hashes are entirely equivalent to clear-text passwords. Anyone with $ to spare can crack the passwords pretty quickly.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Marek Zarychta