Mircea Harapu wrote:
I'm trying to make a ssh authentication with pam_radius_auth + freeradius + ldap The problem is that radius is sending the password to ldap in clear and not crypted with CRYPT as configured in ldap module . Huh? pam_radius_auth sends the password to FreeRADIUS in the clear, because that's what it does. FreeRADIUS sends this to LDAP because LDAP doesn't understand anything else.
sending passwords in clear in a network is not secure . pam_radius_auth does have md5 crypting capabilities . that's why you need to set radius key .
PAP sends the following radius request:
User-Name = "Someuser" User-Password = "somepassword"
HOWEVER, the User-Password field in a radius packet is defined by RFC to be encrypted with the radius shared secret.
The pam_radius_auth is sending User-Password without beeing encrypted . I have set the same shared secret in /etc/raddb/server and clients.conf
At the radius server, the password field is decrypted and processed in plaintext inside the radius server.
This is at least as secure as sending a plaintext password over the wire.
And there is NO configuration in the LDAP module to send the password in crypted form. I think you're mistaking the configuration that *reads* the password from LDAP for something else.
auto_header = yes that means that it checks for encryption types .
I think Alan, as the main FreeRadius developer, is probably aware of that feature. He is aware that it does NOT do what you claim.
"auto_header" is responsible for detecting the {type} header when the userPassword attribute is *read from* the LDAP server. The {type} field is stripped, and used to put the following value into the correct radius config attribute e.g.
* {clear} -> User-Password * {crypt} -> Crypt-Password * {ssha} -> SSHA-Password
...and so on.
*Then* the radius server processes a PAP request like so:
1. request comes in User-Name = foo User-Password = encrypted_with_radius_secret(bar) 2. authorize section is run 2a. ldap module is run - userPassword: {crypt}baAP5K9PT1lcc 2b. auto_header puts "Crypt-Password = baAP5K9PT1lcc" into config items 3. authenticate is run - Auth-Type = Local 3b. The radius server sees that Crypt-Password is set and does: if (crypt(User-Password, 'ba')=='baAP5K9PT1lcc') auth_ok;
I hope that is clear.
Your original mail stated:
I'm trying to make a ssh authentication with pam_radius_auth +
freeradius +
ldap The problem is that radius is sending the password to ldap in clear and not crypted with CRYPT as configured in ldap module .
As Alan tried to explain to you, pam_auth_radius is doing nothing wrong. What is undoubtedly happening is that you have the radius server configured incorrectly.
I suspect you want it to do this:
1. request comes in 2. fetch password from ldap 3. compare crypted password from LDAP with password supplied
I suspect what it's actually doing is:
1. request comes in 2. ldap searched for user - found 3. password is checked by doing LDAP simple bind
If you want the first, configure the radius server to do that. Hint: see the "set_auth_type = no" option on recent versions of the server, or have the users file read:
DEFAULT Auth-Type := Local
Or, be more clear about what the problem is. "It doesn't work how I think it should" does not help, especially when you are wrong in your assumptions. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html