On Tue, Nov 11, 2014 at 10:03 PM, Alan DeKok <aland@deployingradius.com> wrote:
E.S. Rosenberg wrote:
Since the hashing functions also exist on the client side what stops the protocols from basing the hash requested from the client on the _hash_ of the users' password?
They're not designed to do that.
This isn't a difficult concept. Protocols are defined to have a certain behavior. You can't just randomly change the behavior, and expect the same results.
All of the rest of your speculations are based on inexperience, and a lack of understanding of how these protocols work. We're not the ones who designed the protocols. We're not the ones who implemented the Microsoft, Apple, etc. side of the protocols. We're just explaining to you why your ideas won't work.
There's no point in discussing changes on this list. For one, you don't know what changes to make, because you don't know how the protocols work. For two, we don't control the protocol design or their implementations. Thanks for all the explanations, this discussion has been enlightening. As far as the don't design/control goes in some other OSS projects I am familiar with the contributors to the project also took active rolls in newer standards to be developed since they were also stakeholder/parties of interest. EAP-PWD definitely looks interesting and I'll be keeping an eye on it.
Above "supporting all existing devices" is mentioned, but we do have the luxury with newer services to say "this service is only supported on" (and since we are a *nix outfit that's even easier we don't have to support MS stuff). Regards and thanks for all your time invested in answering my questions, Eli
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html