Problem with Digest/OpenSER/Radius
Hi. My problem is such, that we store our passwords in Md5 in database, when authorization request comes from ser, i get digest attributes. I issue: authorize_check_query = "SELECT id, UserName, Attribute, Value, Op \ FROM ${authcheck_table} \ WHERE Username = '%{SQL-User-Name}' \ ORDER BY id" And in Database I have: id = 1 UserName = test001 Attribute=User-Password Value = test Now, my real database stores passwords as md5 hashes and the radius compares the clear text passwords, how can i force it to compate md5 hashes of passwords? -- Dariusz Dwornikowski tdi@vercom.pl
Dariusz Dwornikowski wrote:
Hi. My problem is such, that we store our passwords in Md5 in database, when authorization request comes from ser, i get digest attributes. I issue:
Digest authentication and MD5 hashed passwords are incompatible. It won't work.
And in Database I have:
id = 1 UserName = test001 Attribute=User-Password Value = test
Now, my real database stores passwords as md5 hashes and the radius compares the clear text passwords, how can i force it to compate md5 hashes of passwords?
Use the "MD5-Password" attribute, not the "User-Password" attribute. See "man rlm_pap" for more. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On 2007-03-15, at 16:55, Alan DeKok wrote:
Dariusz Dwornikowski wrote:
Hi. My problem is such, that we store our passwords in Md5 in database, when authorization request comes from ser, i get digest attributes. I issue:
Digest authentication and MD5 hashed passwords are incompatible.
It won't work. so I HAVE to user clear text passwords? I was thinking just to compare md5 of password from SIP package.
I also tried to use Digest-HA1 instead of User-Password in database, but it does not work (i am using freeradius 1.1.4). getting: rlm_digest: Configuration item "User-Password" or Digest-HA1 is required for authentication.
And in Database I have:
id = 1 UserName = test001 Attribute=User-Password Value = test
Now, my real database stores passwords as md5 hashes and the radius compares the clear text passwords, how can i force it to compate md5 hashes of passwords?
Use the "MD5-Password" attribute, not the "User-Password" attribute. See "man rlm_pap" for more.
can it be combined with digest ? as I am gennting all the time: rlm_digest: Configuration item "User-Password" or Digest-HA1 is required for authentication.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
-- Dariusz Dwornikowski tdi@vercom.pl
You have a table on Alan DeKok's site explaining what protocol/password hashing combinations are possible and which are not: http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP Dana 15/3/2007, "Dariusz Dwornikowski" <tdi@vercom.pl> piše:
On 2007-03-15, at 16:55, Alan DeKok wrote:
Dariusz Dwornikowski wrote:
Hi. My problem is such, that we store our passwords in Md5 in database, when authorization request comes from ser, i get digest attributes. I issue:
Digest authentication and MD5 hashed passwords are incompatible.
It won't work. so I HAVE to user clear text passwords? I was thinking just to compare md5 of password from SIP package.
I also tried to use Digest-HA1 instead of User-Password in database, but it does not work (i am using freeradius 1.1.4). getting: rlm_digest: Configuration item "User-Password" or Digest-HA1 is required for authentication.
And in Database I have:
id = 1 UserName = test001 Attribute=User-Password Value = test
Now, my real database stores passwords as md5 hashes and the radius compares the clear text passwords, how can i force it to compate md5 hashes of passwords?
Use the "MD5-Password" attribute, not the "User-Password" attribute. See "man rlm_pap" for more.
can it be combined with digest ? as I am gennting all the time:
rlm_digest: Configuration item "User-Password" or Digest-HA1 is required for authentication.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
-- Dariusz Dwornikowski tdi@vercom.pl
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 2007-03-15, at 21:31, <tnt@kalik.co.yu> <tnt@kalik.co.yu> wrote:
You have a table on Alan DeKok's site explaining what protocol/ password hashing combinations are possible and which are not:
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik Kalik Informatika ISP
as i understand, I get Digest of a triple: user:realm:password. This is MD5 hashed. Radius gets it and takes the same from db and calculates it compares and says Access-Accept or Reject. There is no way in my mind to have my passwords not in cleat text in db. Am i correct? -- Dariusz Dwornikowski tdi@vercom.pl
Dariusz Dwornikowski wrote:
as i understand, I get Digest of a triple:
user:realm:password. This is MD5 hashed.
Then you don't have the passwords stored in MD5 hashed form. The MD5 hash includes *more* than just the password. Please be specific in describing what you're doing. It matters a LOT.
Radius gets it and takes the same from db and calculates it compares and says Access-Accept or Reject. There is no way in my mind to have my passwords not in cleat text in db. Am i correct?
You are almost always better off storing clear-text passwords in the DB. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (3)
-
Alan DeKok -
Dariusz Dwornikowski -
tnt@kalik.co.yu