FreeRadius + MySQL & Encrypted passwords
Hi all, I've been trying to encrypt the passwords in mySQL using SHA1 or MD5 without any luck for the last several days. First let me tell you a bit about our system: RedHat ES 4 freeradius-1.0.1-2.RHEL4 freeradius-mysql-1.0.1-2.RHEL4 mysql-server-4.1.7-4.RHEL4.1 mysql-4.1.7-4.RHEL4.1 Everything works fine with clear text passwords and if I use Unix Crypt. This is the config that works with Unix Crypt: radcheck +-----+------------+---------------+----+------------------------------- ---------------------------+ | id | UserName | Attribute | op | Value | +-----+------------+---------------+----+------------------------------- ---------------------------+ | 844 | bogdan | Crypt-Password | == | 55MCU5TXMoKsA | +-----+------------+---------------+----+------------------------------- ---------------------------+ usergroup +-----+------------+-------------+ | id | UserName | GroupName | +-----+------------+-------------+ | 844 | bogdan | adsl-static | +-----+------------+-------------+ radgroupcheck +----+-------------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-------------+-----------+----+-------+ | 1 | adsl | Auth-Type | := | PAP | | 2 | adsl-static | Auth-Type | := | PAP | radius.conf ------------- ........................... modules { .................. pap { encryption_scheme = crypt } .................... } authenticate { .............. Auth-Type PAP { pap } ............... } This works perfect ! now I want to use MD5 or SHA1 so I change: pap { encryption_scheme = sha1 (or md5) } and this is what I get in /usr/sbin/radiusd -X modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type PAP auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_pap: login attempt by "shipcoadsl" with password test rlm_pap: Crypt-Password attribute but encryption scheme is not set to CRYPT modcall[authenticate]: module "pap" returns fail for request 0 modcall: group Auth-Type returns fail for request 0 if I change: +-----+------------+---------------+----+------------------------------- ---------------------------+ | id | UserName | Attribute | op | Value | +-----+------------+---------------+----+------------------------------- ---------------------------+ | 844 | bogdan | Crypt-Password | == | {md5} password | +-----+------------+---------------+----+------------------------------- ---------------------------+ to: +-----+------------+---------------+----+------------------------------- ---------------------------+ | id | UserName | Attribute | op | Value | +-----+------------+---------------+----+------------------------------- ---------------------------+ | 844 | bogdan | User-Password | == | {md5} password | +-----+------------+---------------+----+------------------------------- ---------------------------+ and this is what I get: rlm_sql (sql): No matching entry in the database for request from user [shipcoadsl] rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns notfound for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [shipcoadsl/test] (from client TestNAS2 port 0) I also tried changing: radgroupcheck +----+-------------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-------------+-----------+----+-------+ | 1 | adsl | Auth-Type | := | PAP | to: radgroupcheck +----+-------------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-------------+-----------+----+-------+ | 1 | adsl | Auth-Type | := | MD5 | then add: authenticate { .............. Auth-Type MD5 { pap } ............... } an I got exactly the same answer as before! Tried adding to the radgroupreply: | 26 | adsl-static | Auth-Type | := | PAP | 0 | but still no luck! Is this a bug? What am I missing? Your help will be greatly appreciated! Thanks, Bogdan.
Hi,
I've been trying to encrypt the passwords in mySQL using SHA1 or MD5 without any luck for the last several days.
---------------------------+ | 844 | bogdan | Crypt-Password | == | 55MCU5TXMoKsA | +-----+------------+---------------+----+-------------------------------
okay. attribute set to Crypt-Password. however, when you changed to SHA1 or MD5 you DIDNT change this attribute. from the Documentation, you can see Header Attribute Description ------ --------- ----------- {clear} User-Password clear-text passwords {cleartext} User-Password clear-text passwords {crypt} Crypt-Password Unix-style "crypt"ed passwords {md5} MD5-Password MD5 hashed passwords {smd5} SMD5-Password MD5 hashed passwords, with a salt {sha} SHA-Password SHA1 hashed passwords {ssha} SSHA-Password SHA1 hashed passwords, with a salt {nt} NT-Password Windows NT hashed passwords {x-nthash} NT-Password Windows NT hashed passwords {lm} LM-Password Windows Lan Manager (LM) passwords. the error log posted clearly showed rlm_pap bleating away that it was being told to use MD5 or SHA but that only Crypt-Password attribute was present. alan
Thanks Alan, Changed: | 844 | bogdan | Crypt-Password | == | 55MCU5TXMoKsA | To | 844 | bogdan | SSHA-Password | == | 55MCU5TXMoKsA | And pap { encryption_scheme = sha1 } And it says: rlm_sql: unknown attribute SSHA-Password However the output significantly changed. It looks like it's now trying the user in all the groups: rad_recv: Access-Request packet from host 206.186.81.100:4147, id=76, length=50 User-Name = "shipcoadsl" User-Password = "test" rad_lowerpair: User-Name now 'shipcoadsl' rad_rmspace_pair: User-Name now 'shipcoadsl' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_sql (sql): - sql_groupcmp radius_xlat: 'shipcoadsl' rlm_sql (sql): sql_set_user escaped user --> 'shipcoadsl' radius_xlat: 'SELECT GroupName FROM usergroup WHERE UserName='shipcoadsl'' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT GroupName FROM usergroup WHERE UserName='shipcoadsl' rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): - sql_groupcmp finished: User does not belong in group dialup rlm_sql (sql): - sql_groupcmp radius_xlat: 'shipcoadsl' rlm_sql (sql): sql_set_user escaped user --> 'shipcoadsl' radius_xlat: 'SELECT GroupName FROM usergroup WHERE UserName='shipcoadsl'' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT GroupName FROM usergroup WHERE UserName='shipcoadsl' rlm_sql (sql): Released sql socket id: 3 rlm_sql (sql): - sql_groupcmp finished: User does not belong in group idm rlm_sql (sql): - sql_groupcmp radius_xlat: 'shipcoadsl' rlm_sql (sql): sql_set_user escaped user --> 'shipcoadsl' radius_xlat: 'SELECT GroupName FROM usergroup WHERE UserName='shipcoadsl'' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT GroupName FROM usergroup WHERE UserName='shipcoadsl' rlm_sql (sql): Released sql socket id: 2 rlm_sql (sql): - sql_groupcmp finished: User does not belong in group ikano rlm_sql (sql): - sql_groupcmp radius_xlat: 'shipcoadsl' rlm_sql (sql): sql_set_user escaped user --> 'shipcoadsl' radius_xlat: 'SELECT GroupName FROM usergroup WHERE UserName='shipcoadsl'' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: SELECT GroupName FROM usergroup WHERE UserName='shipcoadsl' rlm_sql (sql): Released sql socket id: 1 rlm_sql (sql): - sql_groupcmp finished: User does not belong in group adsl rlm_sql (sql): - sql_groupcmp radius_xlat: 'shipcoadsl' rlm_sql (sql): sql_set_user escaped user --> 'shipcoadsl' radius_xlat: 'SELECT GroupName FROM usergroup WHERE UserName='shipcoadsl'' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT GroupName FROM usergroup WHERE UserName='shipcoadsl' rlm_sql (sql): - sql_groupcmp finished: User belongs in group adsl-static rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '@' in User-Name = "shipcoadsl", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "shipcoadsl" rlm_realm: Proxying request from user shipcoadsl to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 radius_xlat: 'shipcoadsl' rlm_sql (sql): sql_set_user escaped user --> 'shipcoadsl' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'shipcoadsl' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'shipcoadsl' ORDER BY id rlm_sql: unknown attribute SMD5-Password rlm_sql (sql): Error getting data from database rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns fail for request 0 modcall: group authorize returns fail for request 0 There was no response configured: rejecting request 0 Server rejecting request 0. Finished request 0 -----Original Message----- From: freeradius-users-bounces+helpdesk22=mycybernet.net@lists.freeradius.org [mailto:freeradius-users-bounces+helpdesk22=mycybernet.net@lists.freerad ius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: May 4, 2006 4:27 PM To: FreeRadius users mailing list Subject: Re: FreeRadius + MySQL & Encrypted passwords Hi,
I've been trying to encrypt the passwords in mySQL using SHA1 or MD5 without any luck for the last several days.
---------------------------+ | 844 | bogdan | Crypt-Password | == | 55MCU5TXMoKsA | +-----+------------+---------------+----+----------------------------- +-----+------------+---------------+----+--
okay. attribute set to Crypt-Password. however, when you changed to SHA1 or MD5 you DIDNT change this attribute. from the Documentation, you can see Header Attribute Description ------ --------- ----------- {clear} User-Password clear-text passwords {cleartext} User-Password clear-text passwords {crypt} Crypt-Password Unix-style "crypt"ed passwords {md5} MD5-Password MD5 hashed passwords {smd5} SMD5-Password MD5 hashed passwords, with a salt {sha} SHA-Password SHA1 hashed passwords {ssha} SSHA-Password SHA1 hashed passwords, with a salt {nt} NT-Password Windows NT hashed passwords {x-nthash} NT-Password Windows NT hashed passwords {lm} LM-Password Windows Lan Manager (LM) passwords. the error log posted clearly showed rlm_pap bleating away that it was being told to use MD5 or SHA but that only Crypt-Password attribute was present. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, I would like to find out how to configure freeradius so I don't have to save clear text passwords in the users file. I've been following the mail list but I've seen so many ways of configuring crypted passwords, md5, .... that right now I've got a mess in my head. If someone can help me, to address me to a tutorial, or a link to a website where I can find some clear info over this, I would appreciate. Thank you.
Hi Miguel, Bellow you will find the config I'm using. It works with Unix Crypt but not with md5 or SHA1. It looks like for md5 or sha1 the crypt-password attribute has to be changed to MD5-password or SHA1-password. However my freeRadius doesn't recognize any of these 2 attributes (rlm_sql: unknown attribute SSHA-Password). For the time beeing I'll stick with Unix Crypt. Please let me know if you find a better config. Bogdan. -----Original Message----- From: Bogdan Dumitriu - Technical Support Team [mailto:helpdesk22@mycybernet.net] Sent: May 4, 2006 3:40 PM To: 'freeradius-users@lists.freeradius.org' Subject: FreeRadius + MySQL & Encrypted passwords Hi all, I've been trying to encrypt the passwords in mySQL using SHA1 or MD5 without any luck for the last several days. First let me tell you a bit about our system: RedHat ES 4 freeradius-1.0.1-2.RHEL4 freeradius-mysql-1.0.1-2.RHEL4 mysql-server-4.1.7-4.RHEL4.1 mysql-4.1.7-4.RHEL4.1 Everything works fine with clear text passwords and if I use Unix Crypt. This is the config that works with Unix Crypt: radcheck +-----+------------+---------------+----+------------------------------- ---------------------------+ | id | UserName | Attribute | op | Value | +-----+------------+---------------+----+------------------------------- ---------------------------+ | 844 | bogdan | Crypt-Password | == | 55MCU5TXMoKsA | +-----+------------+---------------+----+------------------------------- ---------------------------+ usergroup +-----+------------+-------------+ | id | UserName | GroupName | +-----+------------+-------------+ | 844 | bogdan | adsl-static | +-----+------------+-------------+ radgroupcheck +----+-------------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-------------+-----------+----+-------+ | 1 | adsl | Auth-Type | := | PAP | | 2 | adsl-static | Auth-Type | := | PAP | radius.conf ------------- ........................... modules { .................. pap { encryption_scheme = crypt } .................... } authenticate { .............. Auth-Type PAP { pap } ............... } This works perfect ! now I want to use MD5 or SHA1 so I change: pap { encryption_scheme = sha1 (or md5) } and this is what I get in /usr/sbin/radiusd -X modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type PAP auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_pap: login attempt by "shipcoadsl" with password test rlm_pap: Crypt-Password attribute but encryption scheme is not set to CRYPT modcall[authenticate]: module "pap" returns fail for request 0 modcall: group Auth-Type returns fail for request 0 if I change: +-----+------------+---------------+----+------------------------------- ---------------------------+ | id | UserName | Attribute | op | Value | +-----+------------+---------------+----+------------------------------- ---------------------------+ | 844 | bogdan | Crypt-Password | == | {md5} password | +-----+------------+---------------+----+------------------------------- ---------------------------+ to: +-----+------------+---------------+----+------------------------------- ---------------------------+ | id | UserName | Attribute | op | Value | +-----+------------+---------------+----+------------------------------- ---------------------------+ | 844 | bogdan | User-Password | == | {md5} password | +-----+------------+---------------+----+------------------------------- ---------------------------+ and this is what I get: rlm_sql (sql): No matching entry in the database for request from user [shipcoadsl] rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns notfound for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [shipcoadsl/test] (from client TestNAS2 port 0) I also tried changing: radgroupcheck +----+-------------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-------------+-----------+----+-------+ | 1 | adsl | Auth-Type | := | PAP | to: radgroupcheck +----+-------------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-------------+-----------+----+-------+ | 1 | adsl | Auth-Type | := | MD5 | then add: authenticate { .............. Auth-Type MD5 { pap } ............... } an I got exactly the same answer as before! Tried adding to the radgroupreply: | 26 | adsl-static | Auth-Type | := | PAP | 0 | but still no luck! Is this a bug? What am I missing? Your help will be greatly appreciated! Thanks, Bogdan. -----Original Message----- From: freeradius-users-bounces+helpdesk22=mycybernet.net@lists.freeradius.org [mailto:freeradius-users-bounces+helpdesk22=mycybernet.net@lists.freerad ius.org] On Behalf Of Miguel Angel Quiles Sent: May 8, 2006 5:34 AM To: FreeRadius users mailing list Subject: Re: FreeRadius + MySQL & Encrypted passwords Hi, I would like to find out how to configure freeradius so I don't have to save clear text passwords in the users file. I've been following the mail list but I've seen so many ways of configuring crypted passwords, md5, .... that right now I've got a mess in my head. If someone can help me, to address me to a tutorial, or a link to a website where I can find some clear info over this, I would appreciate. Thank you.
Hi Alan, Sorry, I'm new to this: what does your reply mean? Is there a patch I can install? Do I have to do an upgrade? Thanks, Bogdan. -----Original Message----- From: freeradius-users-bounces+helpdesk22=mycybernet.net@lists.freeradius.org [mailto:freeradius-users-bounces+helpdesk22=mycybernet.net@lists.freerad ius.org] On Behalf Of Alan DeKok Sent: May 8, 2006 12:48 PM To: FreeRadius users mailing list Subject: Re: FreeRadius + MySQL & Encrypted passwords "Bogdan Dumitriu - Technical Support Team" <helpdesk22@mycybernet.net> wrote:
However my freeRadius doesn't recognize any of these 2 attributes (rlm_sql: unknown attribute SSHA-Password).
This functionality is in the CVS head, and not in 1.1.x Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Bogdan, I've tried with mysql and the crypt passwords and it works fine. Now I still wondering if there is any way with PAP to enable crypted passwords with MD5 or SHA1. I don't know if I understood ok, tell me if I'm wrong. I think that at the moment it's impossible to enable MD5 or SHA1 for encrypted passwords, but that they are working on it, so perhaps in future versions this will be possible. Thanks, Miguel Angel
Hello Miguel, To be honest I'm not sure! The last reply from Alan says that this functionality is in the CVs head and not in 1.1.x. I'm not sure exactly what that means. But I guess you are right, at the moment it is impossible to use MD5 or SHA1. I guess the best practice would be to have the Radius behind a really good firewall to make sure nobody will be able to get the users db. Bogdan. -----Original Message----- From: freeradius-users-bounces+helpdesk22=mycybernet.net@lists.freeradius.org [mailto:freeradius-users-bounces+helpdesk22=mycybernet.net@lists.freerad ius.org] On Behalf Of Miguel Angel Quiles Sent: May 10, 2006 3:07 AM To: FreeRadius users mailing list Subject: Re: FreeRadius + MySQL & Encrypted passwords Thanks Bogdan, I've tried with mysql and the crypt passwords and it works fine. Now I still wondering if there is any way with PAP to enable crypted passwords with MD5 or SHA1. I don't know if I understood ok, tell me if I'm wrong. I think that at the moment it's impossible to enable MD5 or SHA1 for encrypted passwords, but that they are working on it, so perhaps in future versions this will be possible. Thanks, Miguel Angel
Hi,
To be honest I'm not sure! The last reply from Alan says that this functionality is in the CVs head and not in 1.1.x. I'm not sure exactly what that means. But I guess you are right, at the moment it is
it means that the feature is in the latest bleeding edge version - you must use CVS to get it - its not available in the latest .tar archived version. alan
"Miguel Angel Quiles" <wingfox@gmail.com> wrote:
I would like to find out how to configure freeradius so I don't have to save clear text passwords in the users file.
First, which authentication types do your users use? If they use CHAP, you have no choice but to use clear-text passwords. Alan DeKok.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Bogdan Dumitriu - Technical Support Team -
Miguel Angel Quiles