RE: FreeRadius + MySQL & Encrypted passwords
We had this problem so we did a dodgy but nonetheless functional small hack to make it work. YMMV but you may find it useful until the next proper release which hopefully will contain the new code which Alan refers to. Tony in radiusd.conf: pap { encryption_scheme = sha1 } in mysql continue to use "Password" in radcheck but set also set Auth-Type:=PAP for the SHA1 encrypted passwords. eg, say user abc1 has a SHA1 encrypted password and def2 has a plaintext password: radcheck: username attribute op value abc1 Password == 760e7dab2836853c63805033e514668301fa9c47 def2 Password == secretxyz radgroupcheck: groupname attribute op value papsha1 Auth-Type := PAP usergroup: username groupname abc1 papsha1 then apply this to main/valuepair.c (ie if Auth-Type==PAP, skip plaintext "Password" check): --- ../freeradius-1.0.4/src/main/valuepair.c 2005-02-07 20:04:47.000000000 +0000 +++ src/main/valuepair.c 2005-07-22 14:56:31.000000000 +0100 @@ -259,7 +259,20 @@ case PW_PASSWORD: if (pairfind(request, PW_PASSWORD) == NULL) { continue; + } else { + int auth_type; + VALUE_PAIR *auth_type_pair; + + if (auth_type_pair=pairfind(check, PW_AUTH_TYPE)) { + if(!strcmp(auth_type_pair->strvalue, "PAP")) { + continue; + } + } } + break; } Thanks Bogdan, I've tried with mysql and the crypt passwords and it works fine. Now I still wondering if there is any way with PAP to enable crypted passwords with MD5 or SHA1. I don't know if I understood ok, tell me if I'm wrong. I think that at the moment it's impossible to enable MD5 or SHA1 for encrypted passwords, but that they are working on it, so perhaps in future versions this will be possible. Thanks, Miguel Angel
participants (1)
-
Tony Redstone