Hi all,
Is it possible to keep encrypted passwords in users file?
For e.g. test Cleartext-Password := "test"
Service-type = NAS-Prompt-User
instead of cleartext can we have encrypted passwords here.
Thanks.
You are not allowed to post to this mailing list, and your message has
been automatically rejected. If you think that your messages are
being rejected in error, contact the mailing list owner at
freeradius-users-owner@lists.freeradius.org.
---------- Forwarded message ----------
From: "ashish verma" <ashish.scit@gmail.com>
To: freeradius-users@lists.freeradius.org
Date: Thu, 13 Mar 2008 16:32:21 +0530
Subject: encrypted passwords in users file
Hi all,
Is it possible to keep encrypted passwords in users file?
For e.g. test Cleartext-Password := "test"
Service-type = NAS-Prompt-User
instead of cleartext can we have encrypted passwords here.
Thanks.
On Tue, Oct 23, 2007 at 2:03 PM, <
freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Are SHA-256 certificates supported? (hannu.lammi@wipsl.com)
2. Re: Freeradius doesn't detect EAP when authenticating against
MySQL (Alan DeKok)
3. Re: TTLS with Mutual Authentication (Alan DeKok)
4. Re: Are SHA-256 certificates supported? (Alan DeKok)
5. FreeRADIUS and SNMP questions (Geoffroy Arnoud)
6. Re: Freeradius doesn't detect EAP when authenticating against
MySQL (primoz)
7. Re: FreeRADIUS and SNMP questions (Alan DeKok)
8. Re: Freeradius doesn't detect EAP when authenticating against
MySQL (Alan DeKok)
----------------------------------------------------------------------
Message: 1
Date: Tue, 23 Oct 2007 10:10:05 +0300 (EEST)
From: hannu.lammi@wipsl.com
Subject: Are SHA-256 certificates supported?
To: freeradius-users@lists.freeradius.org
Message-ID: <14671.192.100.116.143.1193123405.squirrel@mail.wipsl.com>
Content-Type: text/plain;charset=utf-8
Hi,
I need to set up a RADIUS server that accepts certificates which use
SHA-256 as signature algorithm (OID sha256WithRSAEncryption). I have set
up a FreeRADIUS 2.0.0-pre2 server to see if this would work out of the
box.
After verifying that EAP-TLS authentication works with SHA-1 certificates
I switched to SHA-256 certificate that was created with OpenSSL 0.9.8b,
the same that FreeRADIUS was compiled against.
Here's a snippet of the log I got from my SHA-256 test:
=====
--> verify error:num=7:certificate signature failure
rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert write:fatal:decrypt error
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:0D0C50A1:asn1 encoding
routines:ASN1_item_verify:unknown message digest algorithm
=====
It would seem there's a problem somewhere. It may very well be in the
client I'm using.
So, I'd like to know if FreeRADIUS supports SHA-256 certificates?
If it doesn't, is the support for them planned?
thanks in advance,
- Hannu
------------------------------
Message: 2
Date: Tue, 23 Oct 2007 09:12:03 +0200
From: Alan DeKok <aland@deployingradius.com>
Subject: Re: Freeradius doesn't detect EAP when authenticating against
MySQL
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <471D9EC3.4090609@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
preem wrote:
> So, what is a common practice to do this then?
It's not.
People store MD5 or crypt'd passwords when the ONLY authentication
they're doing is PAP. i.e. Unix logins, where the user supplies a
clear-text password to the authentication system.
For many EAP types, people do NOT store MD5 or crypt'd passwords,
because they're useless.
> I understand its not very
> safe nor sane to store passwords in clear text, thats why I wanted to avoid
> that, however it seems inevitable.
It is safe, sane, and common practice to store passwords in clear text.
> I am managing a wired network for some 300 users, its a student dorm and the
> university owns the network and they require authentication for the ease of
> management and control. 802.1x felt like the right way to go, because we are
> planning some wireless access points as well. There are HP's Procurve 2650
> switches in use. I choose mysql db backend, because I also created set of
> PHP scripts, where users can change their passwords and admin can
> add/del/modify user info.
> So what can one do to avoid storing passes in clear text or is it sane
> enough? The server also serves some web pages and dhcp requests.
Ensure that no one has physical access to the system storing the
passwords. Ensure that no one has network access to the system storing
the passwords.
I would also suggest running the RADIUS server and/or the MySQL server
with passwords on a separate machine from the web/dhcp server. That
way, if someone breaks into the web server, they won't have access to
the passwords.
Alan DeKok.
------------------------------
Message: 3
Date: Tue, 23 Oct 2007 09:23:50 +0200
From: Alan DeKok <aland@deployingradius.com>
Subject: Re: TTLS with Mutual Authentication
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <471DA186.5030601@deployingradius.com>
Content-Type: text/plain; charset=UTF-8
Zolotov, Eyal wrote:
> By ?mutual authentication? I refer to the following authentication process:
>
> 1. The client authenticate the server
Give the client the CA cert used to sign the server cert.
> 2. The server authenticate the client
Create a client cert, signed by the server cert.
> 3. Only than ? the clients sends username + password using MSCHAPv2
In unlang, set:
update control {
EAP-TLS-Require-Client-Cert = yes
}
This forces the server to validate the client cert, which is normally
not required for TTLS.
Alan DeKok.
------------------------------
Message: 4
Date: Tue, 23 Oct 2007 09:25:33 +0200
From: Alan DeKok <aland@deployingradius.com>
Subject: Re: Are SHA-256 certificates supported?
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <471DA1ED.9050806@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
hannu.lammi@wipsl.com wrote:
> I need to set up a RADIUS server that accepts certificates which use
> SHA-256 as signature algorithm (OID sha256WithRSAEncryption). I have set
> up a FreeRADIUS 2.0.0-pre2 server to see if this would work out of the
> box.
If OpenSSL supports it, AND the client supplicant supports it, it
should work.
> Here's a snippet of the log I got from my SHA-256 test:
>
> =====
> --> verify error:num=7:certificate signature failure
> rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
> TLS Alert write:fatal:decrypt error
> TLS_accept:error in SSLv3 read client certificate B
> rlm_eap: SSL error error:0D0C50A1:asn1 encoding
> routines:ASN1_item_verify:unknown message digest algorithm
That would seem to be an SSL issue.
> So, I'd like to know if FreeRADIUS supports SHA-256 certificates?
> If it doesn't, is the support for them planned?
FreeRADIUS doesn't support SSL. It uses OpenSSL, which *does* support
SSL. So if there are SSL issues, find out why OpenSSL doesn't like the
TLS session.
Alan DeKok.
------------------------------
Message: 5
Date: Tue, 23 Oct 2007 10:04:23 +0200 (CEST)
From: Geoffroy Arnoud <garnoud@yahoo.co.uk>
Subject: FreeRADIUS and SNMP questions
To: FreeRADIUS users <freeradius-users@lists.freeradius.org>
Message-ID: <626622.60897.qm@web27314.mail.ukl.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1
Hi all,
I have 2 questions regarding FreeRADIUS and SNMP:
1/ Is it possible to run 2 FreeRADIUS servers on the
same box, with SNMP support activated? I understand
it's possible, using distinct values for smux_password
parameter.
2/ Connecting FreeRADIUS to Net-SNMP using SMUX is
quite easy. Has anyone connected FreeRADIUS with BMC
PAtrol agent using SMUX?
Thanks for any answer
Geoff.
_____________________________________________________________________________
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail
------------------------------
Message: 6
Date: Tue, 23 Oct 2007 10:08:22 +0200
From: primoz <primski@gmail.com>
Subject: Re: Freeradius doesn't detect EAP when authenticating against
MySQL
To: "FreeRadius users mailing list"
<freeradius-users@lists.freeradius.org>
Message-ID:
<ead364dc0710230108u752b2593h4a7885ca04e61ce7@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
On 10/23/07, Alan DeKok <aland@deployingradius.com> wrote:
>
> preem wrote:
> > So, what is a common practice to do this then?
>
> It's not.
>
> People store MD5 or crypt'd passwords when the ONLY authentication
> they're doing is PAP. i.e. Unix logins, where the user supplies a
> clear-text password to the authentication system.
And PAP is not very safe and smart way to go as i read it.
For many EAP types, people do NOT store MD5 or crypt'd passwords,
> because they're useless.
So, crypted passwords are usefull only in web applications? I read a lot
lately about, how one should never store passwords in clear text, i guess
that applies only to web apps.
> I understand its not very
> > safe nor sane to store passwords in clear text, thats why I wanted to
> avoid
> > that, however it seems inevitable.
>
> It is safe, sane, and common practice to store passwords in clear text.
I do not have many experience with this, in fact its my first project on the
matter.
> I am managing a wired network for some 300 users, its a student dorm and
> the
> > university owns the network and they require authentication for the ease
> of
> > management and control. 802.1x felt like the right way to go, because we
> are
> > planning some wireless access points as well. There are HP's Procurve
> 2650
> > switches in use. I choose mysql db backend, because I also created set
> of
> > PHP scripts, where users can change their passwords and admin can
> > add/del/modify user info.
> > So what can one do to avoid storing passes in clear text or is it sane
> > enough? The server also serves some web pages and dhcp requests.
>
> Ensure that no one has physical access to the system storing the
> passwords. Ensure that no one has network access to the system storing
> the passwords.
That will be no problem, since I'm the only one with physical access.
I would also suggest running the RADIUS server and/or the MySQL server
> with passwords on a separate machine from the web/dhcp server. That
> way, if someone breaks into the web server, they won't have access to
> the passwords.
I am using VMWare server, so that won't require much work.
Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Thanks again, for clearing this up.
primski
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20071023/4d843567/attachment-0001.html>
------------------------------
Message: 7
Date: Tue, 23 Oct 2007 10:28:52 +0200
From: Alan DeKok <aland@deployingradius.com>
Subject: Re: FreeRADIUS and SNMP questions
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <471DB0C4.3030305@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Geoffroy Arnoud wrote:
> 1/ Is it possible to run 2 FreeRADIUS servers on the
> same box, with SNMP support activated? I understand
> it's possible, using distinct values for smux_password
> parameter.
I'm not sure. FreeRADIUS tries to grab the IETF RADIUS SNMP OID
space. If there are two servers, they may conflict with their OID
registration.
Perhaps it would be useful to *also* export the IETF SNMP space under
a configurable hierarchy?
> 2/ Connecting FreeRADIUS to Net-SNMP using SMUX is
> quite easy. Has anyone connected FreeRADIUS with BMC
> PAtrol agent using SMUX?
Not me, sorry.
Alan DeKok.
------------------------------
Message: 8
Date: Tue, 23 Oct 2007 10:32:48 +0200
From: Alan DeKok <aland@deployingradius.com>
Subject: Re: Freeradius doesn't detect EAP when authenticating against
MySQL
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <471DB1B0.1000409@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
primoz wrote:
> And PAP is not very safe and smart way to go as i read it.
PAP is fine for RADIUS.
> So, crypted passwords are usefull only in web applications?
That's not at all what I said. I specifically mentioned Unix logins.
Crypt'd passwords are useful only for PAP. There are many, many, kinds
of systems using clear-text passwords (i.e. PAP) for authentication.
> I read a lot
> lately about, how one should never store passwords in clear text, i
> guess that applies only to web apps.
No. It's written by people who either don't understand security, OR
aren't using EAP methods. Again, if all you're doing is PAP, then
crypt'd passwords are OK. If you need EAP, you also need clear-text
passwords.
Stop trying to apply comments from web application "how-to's" to
RADIUS. They're not the same, and the security analysis is not the same.
> It is safe, sane, and common practice to store passwords in clear
> text.
>
> I do not have many experience with this, in fact its my first project on
> the matter.
Then why are you questioning the answers you get here?
Alan DeKok.
------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 30, Issue 82
************************************************