Hi folks, Been trying to look for information on this but haven't been able to find anything, prompting me to turn to the mailing list for help. In the event of using salted md5 hashes for passwords, where exactly does one store the salt? There doesn't seem to be a place within the FR config to do that. Any advice would be much appreciated. Thanks in advance! Kind regards, Mark
On Wed, Jan 19, 2011 at 12:39 PM, Mark <mark@edgewire.sg> wrote:
Hi folks,
Been trying to look for information on this but haven't been able to find anything, prompting me to turn to the mailing list for help.
In the event of using salted md5 hashes for passwords, where exactly does one store the salt?
In the beginning of the password.
There doesn't seem to be a place within the FR config to do that. Any advice would be much appreciated.
No special place needed. You're probably confusing MD5-Password and Crypt-Password (which in turn can use MD5 hash). For example, if you use PAP, these three attributes will allow access when user enter password "testpass": Cleartext-Password := "testpass" MD5-Password := "179ad45c6ce2cb97cf1029e212046e81" Crypt-Password := "$1$12345678$duTc/02K9TK/XCYFyofbZ/" Crypt-Password := "122U0BPYjrauc" MD5-Password does not have any salt. Crypt-Password in the first example has the salt "$1$12345678$", with MD5-based hash (crypted passwords have the hash in front of them, which for MD5 starts with $1$ and is 12 characters long) Crypt-Password in the second example has the salt "12", with DES-based hash See also: http://freeradius.org/radiusd/man/rlm_pap.txt http://en.wikipedia.org/wiki/Crypt_(Unix)#MD5-based_scheme http://id.php.net/manual/en/function.crypt.php -- Fajar
Hi Fajar, How did you generate that hash? md5sum of "testpass" doesn't return that value for me. On 19-Jan-2011, at 3:07 PM, Fajar A. Nugraha wrote:
On Wed, Jan 19, 2011 at 12:39 PM, Mark <mark@edgewire.sg> wrote: Hi folks,
Been trying to look for information on this but haven't been able to find anything, prompting me to turn to the mailing list for help.
In the event of using salted md5 hashes for passwords, where exactly does one store the salt?
In the beginning of the password.
There doesn't seem to be a place within the FR config to do that. Any advice would be much appreciated.
No special place needed.
You're probably confusing MD5-Password and Crypt-Password (which in turn can use MD5 hash). For example, if you use PAP, these three attributes will allow access when user enter password "testpass":
Cleartext-Password := "testpass" MD5-Password := "179ad45c6ce2cb97cf1029e212046e81" Crypt-Password := "$1$12345678$duTc/02K9TK/XCYFyofbZ/" Crypt-Password := "122U0BPYjrauc"
MD5-Password does not have any salt. Crypt-Password in the first example has the salt "$1$12345678$", with MD5-based hash (crypted passwords have the hash in front of them, which for MD5 starts with $1$ and is 12 characters long) Crypt-Password in the second example has the salt "12", with DES-based hash
See also: http://freeradius.org/radiusd/man/rlm_pap.txt http://en.wikipedia.org/wiki/Crypt_(Unix)#MD5-based_scheme http://id.php.net/manual/en/function.crypt.php
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Kind regards, Mark
On Wed, Jan 19, 2011 at 4:05 PM, Mark <mark@edgewire.sg> wrote:
Hi Fajar,
How did you generate that hash? md5sum of "testpass" doesn't return that value for me.
the MD5-password? Probably due to new line effect. I created it using php's md5 function (http://php.net/manual/en/function.md5.php) $ echo "<?=md5('testpass');?>"|php;echo 179ad45c6ce2cb97cf1029e212046e81 $ echo -n testpass | md5sum 179ad45c6ce2cb97cf1029e212046e81 - $ echo testpass | md5sum 0ba06b1790d48b9baf71162124a04685 - mysql> select md5('testpass'); +----------------------------------+ | md5('testpass') | +----------------------------------+ | 179ad45c6ce2cb97cf1029e212046e81 | +----------------------------------+ 1 row in set (0.14 sec) See the difference between second and third example? -- Fajar
On 19-Jan-2011, at 3:07 PM, Fajar A. Nugraha wrote:
On Wed, Jan 19, 2011 at 12:39 PM, Mark <mark@edgewire.sg> wrote:
Hi folks,
Been trying to look for information on this but haven't been able to find anything, prompting me to turn to the mailing list for help.
In the event of using salted md5 hashes for passwords, where exactly does one store the salt?
In the beginning of the password.
There doesn't seem to be a place within the FR config to do that. Any advice would be much appreciated.
No special place needed.
You're probably confusing MD5-Password and Crypt-Password (which in turn can use MD5 hash). For example, if you use PAP, these three attributes will allow access when user enter password "testpass":
Cleartext-Password := "testpass" MD5-Password := "179ad45c6ce2cb97cf1029e212046e81" Crypt-Password := "$1$12345678$duTc/02K9TK/XCYFyofbZ/" Crypt-Password := "122U0BPYjrauc"
MD5-Password does not have any salt. Crypt-Password in the first example has the salt "$1$12345678$", with MD5-based hash (crypted passwords have the hash in front of them, which for MD5 starts with $1$ and is 12 characters long) Crypt-Password in the second example has the salt "12", with DES-based hash
See also: http://freeradius.org/radiusd/man/rlm_pap.txt http://en.wikipedia.org/wiki/Crypt_(Unix)#MD5-based_scheme http://id.php.net/manual/en/function.crypt.php
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fajar A. Nugraha <list@fajar.net> wrote:
How did you generate that hash? md5sum of "testpass" doesn't return that value for me.
the MD5-password? Probably due to new line effect. I created it using php's md5 function (http://php.net/manual/en/function.md5.php)
...the rest of us use the unlang xlat md5 feature. Cheers -- Alexander Clouter .sigmonster says: Cobol programmers are down in the dumps.
Nevermind this, found the solution. http://blog.sam-pointer.com/2010/01/26/md5sum-vs-phps-md5-function Thanks all. On 19-Jan-2011, at 3:07 PM, Fajar A. Nugraha wrote:
On Wed, Jan 19, 2011 at 12:39 PM, Mark <mark@edgewire.sg> wrote: Hi folks,
Been trying to look for information on this but haven't been able to find anything, prompting me to turn to the mailing list for help.
In the event of using salted md5 hashes for passwords, where exactly does one store the salt?
In the beginning of the password.
There doesn't seem to be a place within the FR config to do that. Any advice would be much appreciated.
No special place needed.
You're probably confusing MD5-Password and Crypt-Password (which in turn can use MD5 hash). For example, if you use PAP, these three attributes will allow access when user enter password "testpass":
Cleartext-Password := "testpass" MD5-Password := "179ad45c6ce2cb97cf1029e212046e81" Crypt-Password := "$1$12345678$duTc/02K9TK/XCYFyofbZ/" Crypt-Password := "122U0BPYjrauc"
MD5-Password does not have any salt. Crypt-Password in the first example has the salt "$1$12345678$", with MD5-based hash (crypted passwords have the hash in front of them, which for MD5 starts with $1$ and is 12 characters long) Crypt-Password in the second example has the salt "12", with DES-based hash
See also: http://freeradius.org/radiusd/man/rlm_pap.txt http://en.wikipedia.org/wiki/Crypt_(Unix)#MD5-based_scheme http://id.php.net/manual/en/function.crypt.php
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Kind regards, Mark
Mark wrote:
In the event of using salted md5 hashes for passwords, where exactly does one store the salt? There doesn't seem to be a place within the FR config to do that. Any advice would be much appreciated.
The salt is stored in the same string as the hashed password. See wikipedia for descriptions of how salted passwords work, or "man crypt". Alan DeKok.
Alan, Fajar, Thank you both for your help and advice on this. On 19-Jan-2011, at 3:14 PM, Alan DeKok wrote:
Mark wrote:
In the event of using salted md5 hashes for passwords, where exactly does one store the salt? There doesn't seem to be a place within the FR config to do that. Any advice would be much appreciated.
The salt is stored in the same string as the hashed password. See wikipedia for descriptions of how salted passwords work, or "man crypt".
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Kind regards, Mark
participants (4)
-
Alan DeKok -
Alexander Clouter -
Fajar A. Nugraha -
Mark