Help with external authentication using PHP
Hi all, Please our users' password are encrypted using crypt() (blowfish) function in PHP. Now I want to use password_verify() to check the submitted password and I intend doing that in PHP. I have updated my authorize section to use the external PHP script like this: update control { Auth-type := "/usr/bin/php -f /etc/freeradius/3.0/php/checkpassword.php %{User-Name} %{User-Password}" &Proxy-To-Realm := LOCAL } But only the username is sent to the external PHP file. The password is empty. We are already running a large database and it may not be easy to change to another encryption method. Therefore this is very important and we really need to implement it. Please can someone help. Thanks. Regards ___________________________ Ekene Ezeasor IT Consultant, Codee Solutions *Phone*: 08063961963 *Web*: www.codeeltd.com ------------------------------ *DISCLAIMER NOTICE:* *This e-mail, any attachments thereto and response string is intended solely for the attention and use of the addressee(s) named herein and may contain legally privileged and/or confidential information. In the event that you are not the intended recipient(s) of this e-mail and any attachments thereto, be notified that any dissemination, distribution or copying of this e-mail and any attachments thereto, is strictly prohibited. If you have received or otherwise encountered this e-mail in error, please immediately notify the sender and permanently delete the e-mail, any attachments and response string as well as any copy printout in connection therewith.* ------------------------------
On Apr 5, 2019, at 11:22 AM, Ekene Ezeasor <ezeasorekene@gmail.com> wrote:
Please our users' password are encrypted using crypt() (blowfish) function in PHP. Now I want to use password_verify() to check the submitted password and I intend doing that in PHP. I have updated my authorize section to use the external PHP script like this:
update control { Auth-type := "/usr/bin/php -f /etc/freeradius/3.0/php/checkpassword.php %{User-Name} %{User-Password}" &Proxy-To-Realm := LOCAL }
But only the username is sent to the external PHP file. The password is empty.
If you're using WiFi, the User-Password won't exist. See the debug output for more information.
We are already running a large database and it may not be easy to change to another encryption method. Therefore this is very important and we really need to implement it.
See: http://deployingradius.com/documents/protocols/compatibility.html The clients will need to do TTLS with inner-tunnel PAP. Everything else won't work. Your choices are: * use TTLS with inner PAP * don't do WiFi * change all the passwords in the database to clear-text Pick one. Alan DeKok
Thank you Alan for your reply. Changing the passwords to clear-text is not an option ofcourse and we do Wi-Fi. Assuming we want to start using the SQL authorization with sha512 (with hash). How do I implement the SQL query to check for sha512 password using the correct hash? Thanks On Fri, Apr 5, 2019 at 4:29 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 5, 2019, at 11:22 AM, Ekene Ezeasor <ezeasorekene@gmail.com> wrote:
Please our users' password are encrypted using crypt() (blowfish) function in PHP. Now I want to use password_verify() to check the submitted password and I intend doing that in PHP. I have updated my authorize section to use the external PHP script like this:
update control { Auth-type := "/usr/bin/php -f /etc/freeradius/3.0/php/checkpassword.php %{User-Name} %{User-Password}" &Proxy-To-Realm := LOCAL }
But only the username is sent to the external PHP file. The password is empty.
If you're using WiFi, the User-Password won't exist. See the debug output for more information.
We are already running a large database and it may not be easy to change to another encryption method. Therefore this is very important and we really need to implement it.
See:
http://deployingradius.com/documents/protocols/compatibility.html
The clients will need to do TTLS with inner-tunnel PAP. Everything else won't work.
Your choices are:
* use TTLS with inner PAP * don't do WiFi * change all the passwords in the database to clear-text
Pick one.
Alan DeKok
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 5, 2019, at 12:03 PM, Ekene Ezeasor <ezeasorekene@gmail.com> wrote:
Changing the passwords to clear-text is not an option ofcourse and we do Wi-Fi. Assuming we want to start using the SQL authorization with sha512 (with hash). How do I implement the SQL query to check for sha512 password using the correct hash?
Are you using TTLS with inner PAP? If not, then what you want is impossible. If blowfish doesn't work, then changing to SHA512 hashed passwords won't help. Understanding the problem helps here. Alan DeKok.
Good afternoon to all, Currently I have almost 1000 clients (enterprises) using your own MySQL database and FreeRadius instance, working very Well. (each one with their own Linux server) Recently, some of them ask me to host the database and FreeRadius, to avoid infra-sctructure problems. Is it possible to run just one FreeRadius Server, where it will be multiple MySQL databases, and “tell” to FreeRadius authenticate according client IP ? Example: Client Enterprise 1 -> NAS IP 200.200.200.200 --> Then the FreeRadius will use MySQL database “client1” Client Enterprise 2 -> NAS IP 100.100.100.100 --> Then the FreeRadius will use MySQL database “client2” Client Enterprise 3 -> NAS IP 222.222.222.222 --> Then the FreeRadius will use MySQL database “client3” In this way, every enterprise could have their own usernames, where the username “joao” from client1 is diferent than “joao” from client2. I research a little about virtual servers and sql instances, but I don´t know if this is the correct way. What do you guys think about it ? We are talking about 1000 enterprises and almost 1.000.000 usernames. Rafael Labiak Olivastro http://www.vigo.com.br Enviado do Email<https://go.microsoft.com/fwlink/?LinkId=550986> para Windows 10 ________________________________ De: Freeradius-Users <freeradius-users-bounces+rolivastro=hotmail.com@lists.freeradius.org> em nome de Alan DeKok <aland@deployingradius.com> Enviado: Friday, April 5, 2019 12:10:28 PM Para: FreeRadius users mailing list Assunto: Re: Help with external authentication using PHP On Apr 5, 2019, at 12:03 PM, Ekene Ezeasor <ezeasorekene@gmail.com> wrote:
Changing the passwords to clear-text is not an option ofcourse and we do Wi-Fi. Assuming we want to start using the SQL authorization with sha512 (with hash). How do I implement the SQL query to check for sha512 password using the correct hash?
Are you using TTLS with inner PAP? If not, then what you want is impossible. If blowfish doesn't work, then changing to SHA512 hashed passwords won't help. Understanding the problem helps here. Alan DeKok. - List info/subscribe/unsubscribe? See https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C6e61990faf4e425fb0ae08d6b9e14738%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636900774536523880&sdata=77U%2FMr80B1EYVpHJgEcv9r3c4WdyjQxaINrZVp6hew8%3D&reserved=0
Good afternoon to all, Currently I have almost 1000 clients (enterprises) using your own MySQL database and FreeRadius instance, working very Well. (each one with their own Linux server) Recently, some of them ask me to host the database and FreeRadius, to avoid infra-sctructure problems. Is it possible to run just one FreeRadius Server, where it will be multiple MySQL databases, and “tell” to FreeRadius authenticate according client IP ? Example: Client Enterprise 1 -> NAS IP 200.200.200.200 --> Then the FreeRadius will use MySQL database “client1” Client Enterprise 2 -> NAS IP 100.100.100.100 --> Then the FreeRadius will use MySQL database “client2” Client Enterprise 3 -> NAS IP 222.222.222.222 --> Then the FreeRadius will use MySQL database “client3” In this way, every enterprise could have their own usernames, where the username “joao” from client1 is diferent than “joao” from client2. I research a little about virtual servers and sql instances, but I don´t know if this is the correct way. What do you guys think about it ? We are talking about 1000 enterprises and almost 1.000.000 usernames. Rafael Labiak Olivastro http://www.vigo.com.br Enviado do Email<https://go.microsoft.com/fwlink/?LinkId=550986> para Windows 10 ________________________________ De: Freeradius-Users <freeradius-users-bounces+rolivastro=hotmail.com@lists.freeradius.org> em nome de Alan DeKok <aland@deployingradius.com> Enviado: Friday, April 5, 2019 12:10:28 PM Para: FreeRadius users mailing list Assunto: Re: Help with external authentication using PHP On Apr 5, 2019, at 12:03 PM, Ekene Ezeasor <ezeasorekene@gmail.com> wrote:
Changing the passwords to clear-text is not an option ofcourse and we do Wi-Fi. Assuming we want to start using the SQL authorization with sha512 (with hash). How do I implement the SQL query to check for sha512 password using the correct hash?
Are you using TTLS with inner PAP? If not, then what you want is impossible. If blowfish doesn't work, then changing to SHA512 hashed passwords won't help. Understanding the problem helps here. Alan DeKok. - List info/subscribe/unsubscribe? See https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C6e61990faf4e425fb0ae08d6b9e14738%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636900774536523880&sdata=77U%2FMr80B1EYVpHJgEcv9r3c4WdyjQxaINrZVp6hew8%3D&reserved=0
Rafael, 1. Add multiples sql statements in /opt/freeradius4/etc/raddb/mods-available/sql. e.g: clientX_sql { .... }, clientY_sql { .... } 2. Then, create somelogic to forward the authentications based on %{NAS-IP-Address} e.g: if ("%{NAS-IP-Address}" == "X") { %{clientX_sql: SELECT * ...... } } .... ps: Maybe something based on realm can be better. Boa sorte. -- Jorge Pereira On Fri, Apr 5, 2019 at 6:42 PM Rafael Labiak Olivastro < rolivastro@hotmail.com> wrote:
Good afternoon to all,
Currently I have almost 1000 clients (enterprises) using your own MySQL database and FreeRadius instance, working very Well. (each one with their own Linux server)
Recently, some of them ask me to host the database and FreeRadius, to avoid infra-sctructure problems.
Is it possible to run just one FreeRadius Server, where it will be multiple MySQL databases, and “tell” to FreeRadius authenticate according client IP ?
Example:
Client Enterprise 1 -> NAS IP 200.200.200.200 --> Then the FreeRadius will use MySQL database “client1”
Client Enterprise 2 -> NAS IP 100.100.100.100 --> Then the FreeRadius will use MySQL database “client2”
Client Enterprise 3 -> NAS IP 222.222.222.222 --> Then the FreeRadius will use MySQL database “client3”
In this way, every enterprise could have their own usernames, where the username “joao” from client1 is diferent than “joao” from client2.
I research a little about virtual servers and sql instances, but I don´t know if this is the correct way.
What do you guys think about it ?
We are talking about 1000 enterprises and almost 1.000.000 usernames.
Rafael Labiak Olivastro
Enviado do Email<https://go.microsoft.com/fwlink/?LinkId=550986> para Windows 10
________________________________ De: Freeradius-Users <freeradius-users-bounces+rolivastro= hotmail.com@lists.freeradius.org> em nome de Alan DeKok < aland@deployingradius.com> Enviado: Friday, April 5, 2019 12:10:28 PM Para: FreeRadius users mailing list Assunto: Re: Help with external authentication using PHP
On Apr 5, 2019, at 12:03 PM, Ekene Ezeasor <ezeasorekene@gmail.com> wrote:
Changing the passwords to clear-text is not an option ofcourse and we do Wi-Fi. Assuming we want to start using the SQL authorization with sha512 (with hash). How do I implement the SQL query to check for sha512 password using the correct hash?
Are you using TTLS with inner PAP? If not, then what you want is impossible.
If blowfish doesn't work, then changing to SHA512 hashed passwords won't help.
Understanding the problem helps here.
Alan DeKok.
- List info/subscribe/unsubscribe? See https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C6e61990faf4e425fb0ae08d6b9e14738%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636900774536523880&sdata=77U%2FMr80B1EYVpHJgEcv9r3c4WdyjQxaINrZVp6hew8%3D&reserved=0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This is exactly what I did with my previous employer but we had around 4 million users in the database. We used a LDAP database rather than SQL for it's read performance and I was looking to move to an in-memory redis database before I left but I don't think that ever happened. I used client-shortname and realms as we had possibilities of users coming in via different NAS types and I had to do a number of decisions based on the source NAS type which I bundled up using client-shortname. The auth normally isn't the big issue it is the accounting that will be the problem depending on what exactly you need to do. Freeradius will cope with it fine with little or no tweaking other than configuration of the policies you require and some unlang logic. What you will need to put a fair amount of planning into how you structure and deploy your database to make sure it is fast enough to cope with the load. You may need to go down the disconnected accounting and offload that traffic to dedicated accounting servers depending on how frequently the NASs send interim updates and if you are billing based on usage. Fun times ahead. On Sat, Apr 6, 2019 at 11:01 AM Jorge Pereira <jpereira@freeradius.org> wrote:
Rafael,
1. Add multiples sql statements in /opt/freeradius4/etc/raddb/mods-available/sql. e.g: clientX_sql { .... }, clientY_sql { .... } 2. Then, create somelogic to forward the authentications based on %{NAS-IP-Address}
e.g:
if ("%{NAS-IP-Address}" == "X") { %{clientX_sql: SELECT * ...... } } ....
ps: Maybe something based on realm can be better. Boa sorte.
-- Jorge Pereira
On Fri, Apr 5, 2019 at 6:42 PM Rafael Labiak Olivastro < rolivastro@hotmail.com> wrote:
Good afternoon to all,
Currently I have almost 1000 clients (enterprises) using your own MySQL database and FreeRadius instance, working very Well. (each one with their own Linux server)
Recently, some of them ask me to host the database and FreeRadius, to avoid infra-sctructure problems.
Is it possible to run just one FreeRadius Server, where it will be multiple MySQL databases, and “tell” to FreeRadius authenticate according client IP ?
Example:
Client Enterprise 1 -> NAS IP 200.200.200.200 --> Then the FreeRadius
will
use MySQL database “client1”
Client Enterprise 2 -> NAS IP 100.100.100.100 --> Then the FreeRadius will use MySQL database “client2”
Client Enterprise 3 -> NAS IP 222.222.222.222 --> Then the FreeRadius will use MySQL database “client3”
In this way, every enterprise could have their own usernames, where the username “joao” from client1 is diferent than “joao” from client2.
I research a little about virtual servers and sql instances, but I don´t know if this is the correct way.
What do you guys think about it ?
We are talking about 1000 enterprises and almost 1.000.000 usernames.
Rafael Labiak Olivastro
Enviado do Email<https://go.microsoft.com/fwlink/?LinkId=550986> para Windows 10
________________________________ De: Freeradius-Users <freeradius-users-bounces+rolivastro= hotmail.com@lists.freeradius.org> em nome de Alan DeKok < aland@deployingradius.com> Enviado: Friday, April 5, 2019 12:10:28 PM Para: FreeRadius users mailing list Assunto: Re: Help with external authentication using PHP
On Apr 5, 2019, at 12:03 PM, Ekene Ezeasor <ezeasorekene@gmail.com> wrote:
Changing the passwords to clear-text is not an option ofcourse and we do Wi-Fi. Assuming we want to start using the SQL authorization with sha512 (with hash). How do I implement the SQL query to check for sha512 password using the correct hash?
Are you using TTLS with inner PAP? If not, then what you want is impossible.
If blowfish doesn't work, then changing to SHA512 hashed passwords won't help.
Understanding the problem helps here.
Alan DeKok.
- List info/subscribe/unsubscribe? See
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C6e61990faf4e425fb0ae08d6b9e14738%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636900774536523880&sdata=77U%2FMr80B1EYVpHJgEcv9r3c4WdyjQxaINrZVp6hew8%3D&reserved=0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes Various ways of doing this. You could have one master FR server with many many SQL configs (And many DBs) Or one FR server with many tables in one big DB Or one FR proxying to many backend FR servers Where that one FR server could be one load balanced cluster really Cost it out, work out DB requirements (reads can be fast with few updates happening). This is the sort of thing where is the DB that will make our break the solution (Personally I'd be looking at AWS with RDS etc) One of those above solutions scales horizontally to silly levels (with very very little OS/DB management overhead) It's all about what your finances can cover alan On Fri, 5 Apr 2019, 22:42 Rafael Labiak Olivastro, <rolivastro@hotmail.com> wrote:
Good afternoon to all,
Currently I have almost 1000 clients (enterprises) using your own MySQL database and FreeRadius instance, working very Well. (each one with their own Linux server)
Recently, some of them ask me to host the database and FreeRadius, to avoid infra-sctructure problems.
Is it possible to run just one FreeRadius Server, where it will be multiple MySQL databases, and “tell” to FreeRadius authenticate according client IP ?
Example:
Client Enterprise 1 -> NAS IP 200.200.200.200 --> Then the FreeRadius will use MySQL database “client1”
Client Enterprise 2 -> NAS IP 100.100.100.100 --> Then the FreeRadius will use MySQL database “client2”
Client Enterprise 3 -> NAS IP 222.222.222.222 --> Then the FreeRadius will use MySQL database “client3”
In this way, every enterprise could have their own usernames, where the username “joao” from client1 is diferent than “joao” from client2.
I research a little about virtual servers and sql instances, but I don´t know if this is the correct way.
What do you guys think about it ?
We are talking about 1000 enterprises and almost 1.000.000 usernames.
Rafael Labiak Olivastro
Enviado do Email<https://go.microsoft.com/fwlink/?LinkId=550986> para Windows 10
________________________________ De: Freeradius-Users <freeradius-users-bounces+rolivastro= hotmail.com@lists.freeradius.org> em nome de Alan DeKok < aland@deployingradius.com> Enviado: Friday, April 5, 2019 12:10:28 PM Para: FreeRadius users mailing list Assunto: Re: Help with external authentication using PHP
On Apr 5, 2019, at 12:03 PM, Ekene Ezeasor <ezeasorekene@gmail.com> wrote:
Changing the passwords to clear-text is not an option ofcourse and we do Wi-Fi. Assuming we want to start using the SQL authorization with sha512 (with hash). How do I implement the SQL query to check for sha512 password using the correct hash?
Are you using TTLS with inner PAP? If not, then what you want is impossible.
If blowfish doesn't work, then changing to SHA512 hashed passwords won't help.
Understanding the problem helps here.
Alan DeKok.
- List info/subscribe/unsubscribe? See https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C6e61990faf4e425fb0ae08d6b9e14738%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636900774536523880&sdata=77U%2FMr80B1EYVpHJgEcv9r3c4WdyjQxaINrZVp6hew8%3D&reserved=0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What I used to do years back is encrypt the password in the Database -
with a reversible key. That is - use a 'password' to both encrypt and
decrypt the password field in the Database. This allows "clear text"
comparison. If Database and calling code are on different machines - I
believe that's safe enough.
On 2019/04/05 18:03, Ekene Ezeasor wrote:
> Thank you Alan for your reply.
>
> Changing the passwords to clear-text is not an option ofcourse and we do
> Wi-Fi. Assuming we want to start using the SQL authorization with sha512
> (with hash). How do I implement the SQL query to check for sha512 password
> using the correct hash?
>
> Thanks
>
>
> On Fri, Apr 5, 2019 at 4:29 PM Alan DeKok <aland@deployingradius.com> wrote:
>
>> On Apr 5, 2019, at 11:22 AM, Ekene Ezeasor <ezeasorekene@gmail.com> wrote:
>>> Please our users' password are encrypted using crypt() (blowfish)
>> function
>>> in PHP. Now I want to use password_verify() to check the submitted
>> password
>>> and I intend doing that in PHP. I have updated my authorize section to
>> use
>>> the external PHP script like this:
>>>
>>> update control {
>>> Auth-type := "/usr/bin/php -f
>>> /etc/freeradius/3.0/php/checkpassword.php %{User-Name} %{User-Password}"
>>> &Proxy-To-Realm := LOCAL
>>> }
>>>
>>> But only the username is sent to the external PHP file. The password is
>>> empty.
>> If you're using WiFi, the User-Password won't exist. See the debug
>> output for more information.
>>
>>> We are already running a large database and it may not be easy to change
>> to
>>> another encryption method. Therefore this is very important and we really
>>> need to implement it.
>> See:
>>
>> http://deployingradius.com/documents/protocols/compatibility.html
>>
>> The clients will need to do TTLS with inner-tunnel PAP. Everything else
>> won't work.
>>
>> Your choices are:
>>
>> * use TTLS with inner PAP
>> * don't do WiFi
>> * change all the passwords in the database to clear-text
>>
>> Pick one.
>>
>> Alan DeKok
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Mark James ELKINS - Posix Systems - (South) Africa
mje@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
Hi Ekene, I think if you explain the entire scenario and what you're trying to achieve, they'll be able to help. I currently have an external application connected to freeradius, but what i do is entirely different. I authenticate users on the application separately, but i don't use the password they provide as the radius password, it's generated with a formula and SMD5-encrypted. something like usermac + last 2 letters of first name + last 4 digits of phone number. Then salted and encrypted and stored in Freeradius. Uchenna Nebedum On Fri, Apr 5, 2019, 16:23 Ekene Ezeasor <ezeasorekene@gmail.com> wrote:
Hi all,
Please our users' password are encrypted using crypt() (blowfish) function in PHP. Now I want to use password_verify() to check the submitted password and I intend doing that in PHP. I have updated my authorize section to use the external PHP script like this:
update control { Auth-type := "/usr/bin/php -f /etc/freeradius/3.0/php/checkpassword.php %{User-Name} %{User-Password}" &Proxy-To-Realm := LOCAL }
But only the username is sent to the external PHP file. The password is empty.
We are already running a large database and it may not be easy to change to another encryption method. Therefore this is very important and we really need to implement it.
Please can someone help. Thanks. Regards
___________________________ Ekene Ezeasor IT Consultant, Codee Solutions *Phone*: 08063961963 *Web*: www.codeeltd.com ------------------------------
*DISCLAIMER NOTICE:* *This e-mail, any attachments thereto and response string is intended solely for the attention and use of the addressee(s) named herein and may contain legally privileged and/or confidential information. In the event that you are not the intended recipient(s) of this e-mail and any attachments thereto, be notified that any dissemination, distribution or copying of this e-mail and any attachments thereto, is strictly prohibited. If you have received or otherwise encountered this e-mail in error, please immediately notify the sender and permanently delete the e-mail, any attachments and response string as well as any copy printout in connection therewith.* ------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Uchenna,
Thanks for your tip. Let me explain our scenario.
We have our users created and managed using our custom made PHP
application. The username pattern is user@domain.edu and the password is
encrypted using PHP's function crypt() with a blowfish hash ($2y$....). We
have SimpleSAMLphp implementation where all users authenticate using our
SAML IdP. Because SimpleSAMLphp was done in PHP, it was easy for me to
integrate password_verify() to verify passwords supplied by the user.
Now we are trying to implement eduroam. We do not intend creating different
set of users since we already have a database (MySQL). So my worry and
problem now is:-
1. - How do I authenticate users using a PHP script that will verify
supplied passwords using password_verify()
2. - In the case where the above is not obtainable in freeradius, how can I
structure my MySQL database with regards to password encryption and
3. - What is the correct SQL code to use to effectively verify user
passwords to achieve no. 2 above.
Thank you.
On Fri, 5 Apr 2019, 10:23 pm Uchenna Nebedum, <nebeduch@gmail.com> wrote:
> Hi Ekene,
> I think if you explain the entire scenario and what you're trying to
> achieve, they'll be able to help.
>
> I currently have an external application connected to freeradius, but what
> i do is entirely different.
>
> I authenticate users on the application separately, but i don't use the
> password they provide as the radius password, it's generated with a formula
> and SMD5-encrypted.
>
> something like usermac + last 2 letters of first name + last 4 digits of
> phone number. Then salted and encrypted and stored in Freeradius.
>
> Uchenna Nebedum
>
> On Fri, Apr 5, 2019, 16:23 Ekene Ezeasor <ezeasorekene@gmail.com> wrote:
>
> > Hi all,
> >
> > Please our users' password are encrypted using crypt() (blowfish)
> function
> > in PHP. Now I want to use password_verify() to check the submitted
> password
> > and I intend doing that in PHP. I have updated my authorize section to
> use
> > the external PHP script like this:
> >
> > update control {
> > Auth-type := "/usr/bin/php -f
> > /etc/freeradius/3.0/php/checkpassword.php %{User-Name} %{User-Password}"
> > &Proxy-To-Realm := LOCAL
> > }
> >
> > But only the username is sent to the external PHP file. The password is
> > empty.
> >
> > We are already running a large database and it may not be easy to change
> to
> > another encryption method. Therefore this is very important and we really
> > need to implement it.
> >
> > Please can someone help. Thanks. Regards
> >
> >
> >
> > ___________________________
> > Ekene Ezeasor
> > IT Consultant,
> > Codee Solutions
> > *Phone*: 08063961963
> > *Web*: www.codeeltd.com
> > ------------------------------
> >
> > *DISCLAIMER NOTICE:*
> > *This e-mail, any attachments thereto and response string is intended
> > solely for the attention and use of the addressee(s) named herein and may
> > contain legally privileged and/or confidential information. In the event
> > that you are not the intended recipient(s) of this e-mail and any
> > attachments thereto, be notified that any dissemination, distribution or
> > copying of this e-mail and any attachments thereto, is strictly
> prohibited.
> > If you have received or otherwise encountered this e-mail in error,
> please
> > immediately notify the sender and permanently delete the e-mail, any
> > attachments and response string as well as any copy printout in
> connection
> > therewith.*
> > ------------------------------
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Hi Ekene,
Here are a few Ideas,
use the encrypted passwords from the custom application as PLAINTEXT
passwords in freeRADIUS, replicate the users you have in your APP DB as
valid users in freeRADIUS DB. then before submitting passwords to
freeRADIUS do the crypt() function on the provided password and submit that
to freeRADIUS. depending on the authentication process.
you could also create like an authentication API on your custom application
and use either the python or perl module to reach the API and compare the
provided password with what is in the DB. and return an Access-Accept based
on the response code. the perl/python script would be in the auth{} portion.
the third idea is not fully formed. I thought i had more.
On Sat, Apr 6, 2019 at 7:29 PM Ekene Ezeasor <ezeasorekene@gmail.com> wrote:
> Hi Uchenna,
>
> Thanks for your tip. Let me explain our scenario.
>
> We have our users created and managed using our custom made PHP
> application. The username pattern is user@domain.edu and the password is
> encrypted using PHP's function crypt() with a blowfish hash ($2y$....). We
> have SimpleSAMLphp implementation where all users authenticate using our
> SAML IdP. Because SimpleSAMLphp was done in PHP, it was easy for me to
> integrate password_verify() to verify passwords supplied by the user.
>
> Now we are trying to implement eduroam. We do not intend creating different
> set of users since we already have a database (MySQL). So my worry and
> problem now is:-
>
> 1. - How do I authenticate users using a PHP script that will verify
> supplied passwords using password_verify()
>
> 2. - In the case where the above is not obtainable in freeradius, how can I
> structure my MySQL database with regards to password encryption and
>
> 3. - What is the correct SQL code to use to effectively verify user
> passwords to achieve no. 2 above.
>
> Thank you.
>
>
> On Fri, 5 Apr 2019, 10:23 pm Uchenna Nebedum, <nebeduch@gmail.com> wrote:
>
> > Hi Ekene,
> > I think if you explain the entire scenario and what you're trying to
> > achieve, they'll be able to help.
> >
> > I currently have an external application connected to freeradius, but
> what
> > i do is entirely different.
> >
> > I authenticate users on the application separately, but i don't use the
> > password they provide as the radius password, it's generated with a
> formula
> > and SMD5-encrypted.
> >
> > something like usermac + last 2 letters of first name + last 4 digits of
> > phone number. Then salted and encrypted and stored in Freeradius.
> >
> > Uchenna Nebedum
> >
> > On Fri, Apr 5, 2019, 16:23 Ekene Ezeasor <ezeasorekene@gmail.com> wrote:
> >
> > > Hi all,
> > >
> > > Please our users' password are encrypted using crypt() (blowfish)
> > function
> > > in PHP. Now I want to use password_verify() to check the submitted
> > password
> > > and I intend doing that in PHP. I have updated my authorize section to
> > use
> > > the external PHP script like this:
> > >
> > > update control {
> > > Auth-type := "/usr/bin/php -f
> > > /etc/freeradius/3.0/php/checkpassword.php %{User-Name}
> %{User-Password}"
> > > &Proxy-To-Realm := LOCAL
> > > }
> > >
> > > But only the username is sent to the external PHP file. The password is
> > > empty.
> > >
> > > We are already running a large database and it may not be easy to
> change
> > to
> > > another encryption method. Therefore this is very important and we
> really
> > > need to implement it.
> > >
> > > Please can someone help. Thanks. Regards
> > >
> > >
> > >
> > > ___________________________
> > > Ekene Ezeasor
> > > IT Consultant,
> > > Codee Solutions
> > > *Phone*: 08063961963
> > > *Web*: www.codeeltd.com
> > > ------------------------------
> > >
> > > *DISCLAIMER NOTICE:*
> > > *This e-mail, any attachments thereto and response string is intended
> > > solely for the attention and use of the addressee(s) named herein and
> may
> > > contain legally privileged and/or confidential information. In the
> event
> > > that you are not the intended recipient(s) of this e-mail and any
> > > attachments thereto, be notified that any dissemination, distribution
> or
> > > copying of this e-mail and any attachments thereto, is strictly
> > prohibited.
> > > If you have received or otherwise encountered this e-mail in error,
> > please
> > > immediately notify the sender and permanently delete the e-mail, any
> > > attachments and response string as well as any copy printout in
> > connection
> > > therewith.*
> > > ------------------------------
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Nebedum Uchenna
Thanks Uchenna,
I appreciate your help so far but could you please expand those two methods
mentioned. By that I mean how do I exactly go about the processes. If you
wouldn't mind, can you paste some codes that can help me achieve this. At
this point I don't know what else to do.
Thanks.
On Sat, 6 Apr 2019, 8:05 pm Uchenna Nebedum, <nebeduch@gmail.com> wrote:
> Hi Ekene,
> Here are a few Ideas,
>
> use the encrypted passwords from the custom application as PLAINTEXT
> passwords in freeRADIUS, replicate the users you have in your APP DB as
> valid users in freeRADIUS DB. then before submitting passwords to
> freeRADIUS do the crypt() function on the provided password and submit that
> to freeRADIUS. depending on the authentication process.
>
> you could also create like an authentication API on your custom application
> and use either the python or perl module to reach the API and compare the
> provided password with what is in the DB. and return an Access-Accept based
> on the response code. the perl/python script would be in the auth{}
> portion.
>
> the third idea is not fully formed. I thought i had more.
>
>
>
>
>
> On Sat, Apr 6, 2019 at 7:29 PM Ekene Ezeasor <ezeasorekene@gmail.com>
> wrote:
>
> > Hi Uchenna,
> >
> > Thanks for your tip. Let me explain our scenario.
> >
> > We have our users created and managed using our custom made PHP
> > application. The username pattern is user@domain.edu and the password is
> > encrypted using PHP's function crypt() with a blowfish hash ($2y$....).
> We
> > have SimpleSAMLphp implementation where all users authenticate using our
> > SAML IdP. Because SimpleSAMLphp was done in PHP, it was easy for me to
> > integrate password_verify() to verify passwords supplied by the user.
> >
> > Now we are trying to implement eduroam. We do not intend creating
> different
> > set of users since we already have a database (MySQL). So my worry and
> > problem now is:-
> >
> > 1. - How do I authenticate users using a PHP script that will verify
> > supplied passwords using password_verify()
> >
> > 2. - In the case where the above is not obtainable in freeradius, how
> can I
> > structure my MySQL database with regards to password encryption and
> >
> > 3. - What is the correct SQL code to use to effectively verify user
> > passwords to achieve no. 2 above.
> >
> > Thank you.
> >
> >
> > On Fri, 5 Apr 2019, 10:23 pm Uchenna Nebedum, <nebeduch@gmail.com>
> wrote:
> >
> > > Hi Ekene,
> > > I think if you explain the entire scenario and what you're trying to
> > > achieve, they'll be able to help.
> > >
> > > I currently have an external application connected to freeradius, but
> > what
> > > i do is entirely different.
> > >
> > > I authenticate users on the application separately, but i don't use
> the
> > > password they provide as the radius password, it's generated with a
> > formula
> > > and SMD5-encrypted.
> > >
> > > something like usermac + last 2 letters of first name + last 4 digits
> of
> > > phone number. Then salted and encrypted and stored in Freeradius.
> > >
> > > Uchenna Nebedum
> > >
> > > On Fri, Apr 5, 2019, 16:23 Ekene Ezeasor <ezeasorekene@gmail.com>
> wrote:
> > >
> > > > Hi all,
> > > >
> > > > Please our users' password are encrypted using crypt() (blowfish)
> > > function
> > > > in PHP. Now I want to use password_verify() to check the submitted
> > > password
> > > > and I intend doing that in PHP. I have updated my authorize section
> to
> > > use
> > > > the external PHP script like this:
> > > >
> > > > update control {
> > > > Auth-type := "/usr/bin/php -f
> > > > /etc/freeradius/3.0/php/checkpassword.php %{User-Name}
> > %{User-Password}"
> > > > &Proxy-To-Realm := LOCAL
> > > > }
> > > >
> > > > But only the username is sent to the external PHP file. The password
> is
> > > > empty.
> > > >
> > > > We are already running a large database and it may not be easy to
> > change
> > > to
> > > > another encryption method. Therefore this is very important and we
> > really
> > > > need to implement it.
> > > >
> > > > Please can someone help. Thanks. Regards
> > > >
> > > >
> > > >
> > > > ___________________________
> > > > Ekene Ezeasor
> > > > IT Consultant,
> > > > Codee Solutions
> > > > *Phone*: 08063961963
> > > > *Web*: www.codeeltd.com
> > > > ------------------------------
> > > >
> > > > *DISCLAIMER NOTICE:*
> > > > *This e-mail, any attachments thereto and response string is intended
> > > > solely for the attention and use of the addressee(s) named herein and
> > may
> > > > contain legally privileged and/or confidential information. In the
> > event
> > > > that you are not the intended recipient(s) of this e-mail and any
> > > > attachments thereto, be notified that any dissemination, distribution
> > or
> > > > copying of this e-mail and any attachments thereto, is strictly
> > > prohibited.
> > > > If you have received or otherwise encountered this e-mail in error,
> > > please
> > > > immediately notify the sender and permanently delete the e-mail, any
> > > > attachments and response string as well as any copy printout in
> > > connection
> > > > therewith.*
> > > > ------------------------------
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
>
> --
> Nebedum Uchenna
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
participants (8)
-
Alan Buxey -
Alan DeKok -
Ekene Ezeasor -
Jorge Pereira -
Mark Elkins -
Peter Lambrechtsen -
Rafael Labiak Olivastro -
Uchenna Nebedum