Hi all! I've come across an issue with verification of {SSHA} encrypted passwords in FreeRadius 1.1.4. Verification fails for correct passwords. I've managed to track problem through normify() to base64_decode() function in rlm_pap.c. This seems to be a culprit: if (src[length] != '=') return 0; /* no trailing '=' */ Code assumes every base64-encoded string must end with trailing '=', but this assumption does not seem to be true. SSHA encrypted base64 encoded password does not. E.g.: $ /usr/sbin/slappasswd -h {SSHA} -s password {SSHA}n0woq5pPczJ2k/z12gWO8Ita4mvuBlSE It seems that trailing '='s are only used, when padding is required: $ perl -e 'use MIME::Base64; print encode_base64("a")' YQ== $ perl -e 'use MIME::Base64; print encode_base64("aa")' YWE= $ perl -e 'use MIME::Base64; print encode_base64("aaa")' YWFh $ perl -e 'use MIME::Base64; print encode_base64("aaaa")' YWFhYQ== With check removed, SSHA passwords work fine. But I'm not sure if it has a chance to break something else. Ideas for better fix? th.