On Thu, 2006-16-03 at 10:45 +0100, KNO wrote:
On 3/16/06, Alan DeKok <aland@ox.org> wrote:
"Fabiano Rodrigo Boscatto" <fabiano.boscatto@pucpr.br> wrote:
Hi there, i have freeradius working fine with mysql authentication. The problem is that the User-Password is stored in mysql table as clear text. Is there a way to crypt that?
Change User-Password to Crypt-Password, and encrypt the password with the Unix crypt() tool.
Then CHAP & MS-CHAP stop working.
If you want to encrypt the password with some kind of key, and then make the key available to FreeRADIUS too, that might be useful. Maybe.
But it's not as useful as it might first look. You're better off controlling access to the entire MySQL DB, which contains a lot more security information than the clear-text password.
Alan DeKok.
And what I must to do if I want to use MD5 to store the passwords? Greets, Aitor
If you are using a Unix/Linux system that can use MD5 passwords in the password file, then -libcrypt likely supports MD5 passwords. I have tested using SHA1/DES/MD5 encrypted passwords from the system password file on FreeBSD and put them in SQL and it worked. One thing I discovered while testing was that you will need to set Auth-Type := Crypt-Local and Crypt-Password == '<encrypted-data>'. I tend to put the Auth-Type settings in radgroupcheck and assign users with encrypted passwords to different groups than those with clear text. Example: 1 chap-unlimited Auth-Type := Local 2 pap-unlimited Auth-Type := Crypt-Local Then radcheck would be like : 1 fredf User-Password == wilma 2 troll Crypt-Password == $1$f3d5.Cf9$aeM0tnhrmahLR/yHMlEwU1 And usergroup would be like : 1 fredf chap-unlimited 2 troll pap-unlimited I have just started working on a new PHP management system and am intending on supporting the system crypt() command for encoding passwords when updated. Dialup Admin has not been updated much, since the last time I used it, and it does not provide many of the functions I need. I am using code I have written from scratch, but in the day I have been working on it I have almost got a function that correctly parses radiusd.conf and any files included. Once I can accurately read the all the config files that are not intended on being deprecated then I will make the functions to modify them. Once that is done I will concentrate on functions to maintain MySQL and PostgreSQL users and accounting tasks. It is a fairly large task, and it may get sidelined for or more simple system, but I want to start using FreeRadius, so I can decommission the Cistron server I customized to send accounting info directly to a PostgreSQL data base. Although the current system has been working flawlessly for over 5 years, FreeBSD has a lot more functionality, flexibility and is currently maintained by more people than just me. TTFN