Hi, noone an idea on the issue below? Is my requirement to have PAP credentials verified against NT-Hashes in mySQL so unusual? I would have thought this was a common thing to do... Am Donnerstag, 26. April 2007 08:51:56 schrieb Stefan Winter:
Hi,
I try to get rid of cleartext passwords stored in a MySQL db, and replace them by NT hashes. I set up a test environment and first tried with an entry in users:
swinter NT-Password := "...", Auth-Type := Accept
which worked okay.
Storing the same password in MySQL did NOT work, with a quite spurious error, see below:
Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 127.0.0.1:52635, id=148, length=59 User-Name = "swinter" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 1234 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "swinter", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 modcall[authorize]: module "files" returns notfound for request 1 radius_xlat: 'swinter' rlm_sql (sql): sql_set_user escaped user --> 'swinter' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'swinter' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'swinter' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'swinter' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre ply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'swinter' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok for request 1 rlm_pap: Normalizing NT-Password from hex encoding modcall[authorize]: module "pap" returns updated for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type pap auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 1 rlm_pap: login attempt with password test rlm_pap: Using NT encryption. radius_xlat: Running registered xlat function of module mschap for string 'NT-Hash test' rlm_mschap: Unknown expansion string "NT-Hash test" radius_xlat: '' rlm_pap: mschap xlat failed rlm_pap: Passwords don't match modcall[authenticate]: module "pap" returns reject for request 1 modcall: leaving group PAP (returns reject) for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1
Especially the lines
radius_xlat: Running registered xlat function of module mschap for string 'NT-Hash test' rlm_mschap: Unknown expansion string "NT-Hash test" radius_xlat: '' rlm_pap: mschap xlat failed
appear suspicious ("test" is the password"). Maybe there's some xlat escaping wrong? The configuration in use is almost as shipped, only added sql config.
Greetings,
Stefan Winter
Content of mySQL is:
+----+----------+-------------+----------------------------------+----+ | id | UserName | Attribute | Value | op | +----+----------+-------------+----------------------------------+----+ | 1 | swinter | NT-Password | 0CB6948805F797BF2A82807973B89537 | := | +----+----------+-------------+----------------------------------+----+
and no radgroupchecks. Sidenote: I looked into the code of rlm_pap and its call to xlat of rlm_mschap. I really couldn't figure out what is supposed to happen in that call, the xlat string "NT-Hash <password>" has no mention at all in rlm_mschaps xlat. Maybe some old code section that got lost somewhen? Greetings, Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473