On 7 Feb 2017, at 14:37, David Teston <dteston@georgialibraries.org> wrote:
My company runs an application that hashes/encrypts user passwords in a central postgres DB. I have a bash script that can be run remotely to check a username and password against it: ./script.sh <user> <plaintext_pass>
Possible to do, use rlm_exec, though using postgresql directly would be better. It's inadvisable to pass credentials as arguments in a script because any user on the system can use 'ps' and see them.
My fear is that I will not be able to use EAP or CHAP (and their various sub-types) because of client-side password hashing. It seems that PAP will be the only usable solution because it would still provide the server with a plaintext password to be passed into the script. But I run into security issues with PAP.
You haven't said what your clients are, but assuming wired/wireless there is no security problem. If you're using EAP-TTLS/PAP the credential exchange is in a TLS tunnel, just like logging into a website. The only issue is if you don't configure the trust anchor correctly on clients. The only common algorithm supported by supplicants is MSCHAP-v2 which is comprehensively broken. CHAP wouldn't work with hashed passwords, but as far as I'm aware CHAP isn't supported by wireless clients anyway. Regards, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.