Hi all, Does freeradius use SHA1 for hashing? Is there any plans to mi grade from SHA1 to SHA2? Regards, Logeswari.
Does freeradius use SHA1 for hashing? Is there any plans to mi grade from SHA1 to SHA2?
I believe it does for CUI generation... the expression engine has support for sha1 (but not sha2). There is SHA2 support for passwords. As Alan D always says: contributions and patches always welcome. ;-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Hi,
Does freeradius use SHA1 for hashing? Is there any plans to mi grade from SHA1 to SHA2?
what for? eg rlm_pap does: Header Attribute Description ------ --------- ----------- {clear} Cleartext-Password clear-text passwords {cleartext} Cleartext-Password clear-text passwords {crypt} Crypt-Password Unix-style "crypt"ed passwords {md5} MD5-Password MD5 hashed passwords {base64_md5} MD5-Password MD5 hashed passwords {smd5} SMD5-Password MD5 hashed passwords, with a salt {sha} SHA-Password SHA1 hashed passwords SHA1-Password SHA1 hashed passwords {ssha} SSHA-Password SHA1 hashed passwords, with a salt SSHA1-Password SHA1 hashed passwords, with a salt {ssh2} SHA2-Password SHA2 hashed passwords {ssh256} SHA2-Password SHA2 hashed passwords {ssh512} SHA2-Password SHA2 hashed passwords {nt} NT-Password Windows NT hashed passwords {nthash} NT-Password Windows NT hashed passwords {x-nthash} NT-Password Windows NT hashed passwords {ns-mta-md5} NS-MTA-MD5-Password Netscape MTA MD5 hashed passwords {x- orcllmv} LM-Password Windows LANMAN hashed passwords {X- orclntv} LM-Password Windows LANMAN hashed passwords alan
On 24-01-17 14:45, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
Does freeradius use SHA1 for hashing? Is there any plans to mi grade from SHA1 to SHA2?
what for? eg rlm_pap does:
But that doesn't really fit into the question on migration plans to SHA2, because this is coupled to the datastore of the user, not to the server code itself. I have to admit I've got no idea what the question really is about though. -- Herwin Weststrate
server code itself. I have to admit I've got no idea what the question really is about though.
Hashing support? ;-) Oh, and apparently (if I read rlm_expr.c correctly), FR *does* support SHA2 in the expression engine... any OpenSSL EVP_MD digest is supported (see line 1008 and beyond). In the code that means SHA256 and SHA512 (according to mod_bootstrap anyway). :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
On Jan 24, 2017, at 9:40 AM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
server code itself. I have to admit I've got no idea what the question really is about though.
Hashing support? ;-)
Open-ended questions like that just confuse me. A better question is "Does FR support SHA2 *for a particular purpose*".
Oh, and apparently (if I read rlm_expr.c correctly), FR *does* support SHA2 in the expression engine... any OpenSSL EVP_MD digest is supported (see line 1008 and beyond).
In the code that means SHA256 and SHA512 (according to mod_bootstrap anyway).
Yes. Lots of support for SHA2 for *multiple purposes*. Password comparisons, etc. Otherwise, a bad answer to the bad question would be "Yes, FreeRADIUS supports SHA2". Alan DeKok.
Sorry, for an incomplete question. What i meant was "Does freeradius use SHA1 for hashing the challenge and generating authenticator response in case of MSCHAP2 authentication?" If yes, is there a plan to replace it with SHA2 due to SHA1 deprecation? Will the RFC 2759 be updated for the same? On Tue, Jan 24, 2017 at 8:18 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jan 24, 2017, at 9:40 AM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
server code itself. I have to admit I've got no idea what the question really is about though.
Hashing support? ;-)
Open-ended questions like that just confuse me. A better question is "Does FR support SHA2 *for a particular purpose*".
Oh, and apparently (if I read rlm_expr.c correctly), FR *does* support SHA2 in the expression engine... any OpenSSL EVP_MD digest is supported (see line 1008 and beyond).
In the code that means SHA256 and SHA512 (according to mod_bootstrap anyway).
Yes. Lots of support for SHA2 for *multiple purposes*. Password comparisons, etc.
Otherwise, a bad answer to the bad question would be "Yes, FreeRADIUS supports SHA2".
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On 25-01-17 05:23, Logeswari Viswanath wrote:
Sorry, for an incomplete question.
What i meant was "Does freeradius use SHA1 for hashing the challenge and generating authenticator response in case of MSCHAP2 authentication?" If yes, is there a plan to replace it with SHA2 due to SHA1 deprecation? Will the RFC 2759 be updated for the same?
MSCHAP2 is not something specifically for FreeRADIUS, but it's a worldwide used standard. You can't just change that without breaking the world. -- Herwin Weststrate
On Jan 24, 2017, at 11:23 PM, Logeswari Viswanath <logi85@gmail.com> wrote:
What i meant was "Does freeradius use SHA1 for hashing the challenge and generating authenticator response in case of MSCHAP2 authentication?"
The MS-CHAP specifications are public, and can be read by anyone. There's no need to ask a question here and wait days for an answer. You can find the answer with about 5 minutes of searching the net.
If yes, is there a plan to replace it with SHA2 due to SHA1 deprecation? Will the RFC 2759 be updated for the same?
MS-CHAP uses MD4, not SHA1. If you had read RFC 2759, you would see that. Also, if you had read RFC 2759, you would know the procedures for updating RFCs. Which is controlled by the IETF, not by FreeRADIUS. Alan DeKok.
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Herwin Weststrate -
Logeswari Viswanath -
Stefan Paetow