Using the various User-Password, Chap-Password, etc... with MySQL
Hey everyone, I was wondering if someone can clearly explain the use of different Password attributes when they're used in a scenario where MySQL is involved. The basic case of User-Password is clear. When the attribute in the radcheck table is User-Password then it's value is the password in clear text and the op is == What about Cleartext-Password? I've added this attribute with op of := and value password in clear text and used radtest as a test, and it results in just re-transmission of Access-Request queries, and basically not working. What about Chap-Password, MD5-Password, SHA1-Password, what are their corresponding values and op like? As a side note, I remember reading somewhere the use of the PASSWORD('somepass') function in MySQL for radcheck's password attributes but I'm really not sure in which context was it. Thanks, Lir.
liran tal wrote:
I was wondering if someone can clearly explain the use of different Password attributes when they're used in a scenario where MySQL is involved.
The different password attributes have nothing to do with MySQL. Put a clear-text password in MySQL, and let the server deal with different authentication protocols.
The basic case of User-Password is clear. When the attribute in the radcheck table is User-Password then it's value is the password in clear text and the op is ==
No. See the recent documentation in 1.1.5 and following. The attribute is Cleartext-Password, and the operator is :=.
What about Cleartext-Password? I've added this attribute with op of := and value password in clear text and used radtest as a test, and it results in just re-transmission of Access-Request queries, and basically not working.
See the FAQ for "it doesn't work". The FAQ, README, INSTALL, etc. all say to run the server in debugging mode.
What about Chap-Password, MD5-Password, SHA1-Password, what are their corresponding values and op like?
Read the documentation in "man rlm_pap", as suggested in the README. Alan DeKok.
Thanks Alan, I've read the manpage on rlm_pap. Regarding the User-Password attribute I understand that it is still support but we moved to using Cleartext-Password which is essentially the same. Regarding the other attributes like Crypt-Password or MD5-Password, the manpage says that these contain the crypted/md5 hashed form of the password. Does that mean that if I use those as the password attribute then in the database I'm supposed to use the MD5() function to encrypt the password I save there? This also brings me to another question, if I can encrypt like that a password in the database even for the Cleartext-Password (or the deprecated User-Password) attribute as the manpage also mentions that rlm_pap, if put last in the authorize section will try to decrypt the password. Do I understand this correctly? Regards, Liran. On 7/29/07, Alan DeKok <aland@deployingradius.com> wrote:
liran tal wrote:
I was wondering if someone can clearly explain the use of different Password attributes when they're used in a scenario where MySQL is involved.
The different password attributes have nothing to do with MySQL.
Put a clear-text password in MySQL, and let the server deal with different authentication protocols.
The basic case of User-Password is clear. When the attribute in the radcheck table is User-Password then it's value is the password in clear text and the op is ==
No. See the recent documentation in 1.1.5 and following. The attribute is Cleartext-Password, and the operator is :=.
What about Cleartext-Password? I've added this attribute with op of := and value password in clear text and used radtest as a test, and it results in just re-transmission of Access-Request queries, and basically not working.
See the FAQ for "it doesn't work". The FAQ, README, INSTALL, etc. all say to run the server in debugging mode.
What about Chap-Password, MD5-Password, SHA1-Password, what are their corresponding values and op like?
Read the documentation in "man rlm_pap", as suggested in the README.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
liran tal wrote:
also mentions that rlm_pap, if put last in the authorize section will try to decrypt the password.
There is no decrypt. The server will crypt the plain text password that comes in the request and compare that to the stored crypted password. That is why only PAP will work since other protocols do not send the password in cleartext in the request. This is why it is recommended that the cleartext password be stored in the DB since then all protocols will work. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com
Hey, some updates... Ok I've done some tests and thanks to Kegal I was able to move forward with these different 'scenarios'. For having an encrypted password in the database what can be done is to give the user the attribute Crypt-Password and set the Value to be ENCRYPT('somepass') where ENCRYPT() is a MySQL function. Still has to figure out about MD5, SHA1 and CHAP. Thanks so far, Liran. On 7/30/07, liran tal <liransgarage@gmail.com> wrote:
Thanks Alan,
I've read the manpage on rlm_pap. Regarding the User-Password attribute I understand that it is still support but we moved to using Cleartext-Password which is essentially the same.
Regarding the other attributes like Crypt-Password or MD5-Password, the manpage says that these contain the crypted/md5 hashed form of the password. Does that mean that if I use those as the password attribute then in the database I'm supposed to use the MD5() function to encrypt the password I save there?
This also brings me to another question, if I can encrypt like that a password in the database even for the Cleartext-Password (or the deprecated User-Password) attribute as the manpage also mentions that rlm_pap, if put last in the authorize section will try to decrypt the password.
Do I understand this correctly?
Regards, Liran.
On 7/29/07, Alan DeKok <aland@deployingradius.com > wrote:
liran tal wrote:
I was wondering if someone can clearly explain the use of different Password attributes when they're used in a scenario where MySQL is involved.
The different password attributes have nothing to do with MySQL.
Put a clear-text password in MySQL, and let the server deal with different authentication protocols.
The basic case of User-Password is clear. When the attribute in the radcheck table is User-Password then it's value is the password in clear text and the op is ==
No. See the recent documentation in 1.1.5 and following. The attribute is Cleartext-Password, and the operator is :=.
What about Cleartext-Password? I've added this attribute with op of := and value password in clear text and used radtest as a test, and it results in just re-transmission of Access-Request queries, and basically not working.
See the FAQ for "it doesn't work". The FAQ, README, INSTALL, etc. all
say to run the server in debugging mode.
What about Chap-Password, MD5-Password, SHA1-Password, what are their corresponding values and op like?
Read the documentation in "man rlm_pap", as suggested in the README.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Dennis Skinner -
liran tal