Best/simplest authentication method to validate an encrypted user/password against encrypted known-good.
Hi guys! I am running into a bit of a problem where I least expected, so looking for a general advice here. I'd like to be able to authenticate a user by comparing password provided with the client's authentication request with what's in a password store. It can be easily done by Clear-Text password, of course, but I cannot have a known good password in that password store in Clear-Text form - only encrypted (doesn't really matter how). So ideally, i'd like to get an encrypted password string from a client, and compare it with an encrypted password string retrieved from the known good password store. The retrieval of the known good password is done in the python module. And I'd rather not use SQL instead for the Python. EAP methods encrypt the whole message using the user passwords as a key (as far as I understand it), which complicates the matter... Any advice as to what standard mechanism(s)/method(s) can be used in such case? I hope I explained it well enough... Thank you so much! Gleb
On Apr 29, 2020, at 5:03 PM, Gleb Lisikh <in4bit.general@gmail.com> wrote:
I'd like to be able to authenticate a user by comparing password provided with the client's authentication request with what's in a password store. It can be easily done by Clear-Text password, of course, but I cannot have a known good password in that password store in Clear-Text form - only encrypted (doesn't really matter how).
It does matter how. FreeRADIUS has to understand the encrypted form in order to authenticate the user.
So ideally, i'd like to get an encrypted password string from a client, and compare it with an encrypted password string retrieved from the known good password store.
RADIUS doesn't work that way. You can get the clear-text password from the user. It's in the User-Password attribute. You can get the encrypted password from a database such as SQL or LDAP. The "pap" module will then compare the two.
The retrieval of the known good password is done in the python module. And I'd rather not use SQL instead for the Python.
The python module should just hand the encrypted password to FreeRADIUS, and let FreeRADIUS do the work. See mods-available/pap for documentation on what encrypted formats are supported.
EAP methods encrypt the whole message using the user passwords as a key (as far as I understand it), which complicates the matter...
No. EAP methods do something rather more complex, like TLS. Alan DeKok.
Thanks a lot Alan! I am making progress at least in my understanding of how everything flows. The client uses EAP and MSCHAPv2 for EAP/TLS inner-tunnel authentication. And mschap requires Cleartext-Password for known good password. Is there any way to substitute such password with an encrypted (e.g. SHA1) string? To your earlier point, I can do the following for PAP (in default or/and inner-tunnel authorize section) to provide with a hashed password: ########## config = ( ('SHA-Password', 'aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d'), ) return (radiusd.RLM_MODULE_OK, reply, config) ######### But the Auth-Type is preset to MSCHAPv2, and the mschap demands for Cleartext, and fails if it does not get it. Anything I can do to overcome this Cleartext problem? On a side note, I'd also rather not use SQL or LDAP for proving an encrypted password, but this does not seem to be solving the problem of mschap needing only Cleartext either, unless I am terribly confused Regards, Gleb On Wed, Apr 29, 2020 at 6:02 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 29, 2020, at 5:03 PM, Gleb Lisikh <in4bit.general@gmail.com> wrote:
I'd like to be able to authenticate a user by comparing password provided with the client's authentication request with what's in a password store. It can be easily done by Clear-Text password, of course, but I cannot have a known good password in that password store in Clear-Text form - only encrypted (doesn't really matter how).
It does matter how. FreeRADIUS has to understand the encrypted form in order to authenticate the user.
So ideally, i'd like to get an encrypted password string from a client, and compare it with an encrypted password string retrieved from the known good password store.
RADIUS doesn't work that way.
You can get the clear-text password from the user. It's in the User-Password attribute. You can get the encrypted password from a database such as SQL or LDAP. The "pap" module will then compare the two.
The retrieval of the known good password is done in the python module. And I'd rather not use SQL instead for the Python.
The python module should just hand the encrypted password to FreeRADIUS, and let FreeRADIUS do the work.
See mods-available/pap for documentation on what encrypted formats are supported.
EAP methods encrypt the whole message using the user passwords as a key (as far as I understand it), which complicates the matter...
No. EAP methods do something rather more complex, like TLS.
Alan DeKok.
On 01/05/2020 22:13, Gleb Lisikh wrote:
The client uses EAP and MSCHAPv2 for EAP/TLS inner-tunnel authentication. And mschap requires Cleartext-Password for known good password. Is there any way to substitute such password with an encrypted (e.g. SHA1) string?
MSCHAPv2 can use *only* cleartext password, or NT hash. Nothing else will work. See http://deployingradius.com/documents/protocols/compatibility.html
Anything I can do to overcome this Cleartext problem?
No, not if you use MSCHAPv2.
On a side note, I'd also rather not use SQL or LDAP for proving an encrypted password
Well, you've got to get the password from somewhere. They're the common sort of places people use to store user data. I would advise that you use FreeRADIUS to do the authentication, rather than trying to do something yourself in one of the language modules, especially python, for performance reasons. -- Matthew
I was able to overcome the need for Cleartext password in MSCHAPv2 EAP inner tunnel authentication by adding python to /usr/local/etc/raddb/sites-enabled/*inner-tunnel,* as well as returning *NT-Password* in the config return. No other types of hashing have been otherwise recognized by mschap. It seems like a workable solution for now, unless this would be considered as not in line with best practices and/or will have some undesirable consequences. Any comments are welcome. Thank you, Gleb On Fri, May 1, 2020 at 5:13 PM Gleb Lisikh <in4bit.general@gmail.com> wrote:
Thanks a lot Alan! I am making progress at least in my understanding of how everything flows.
The client uses EAP and MSCHAPv2 for EAP/TLS inner-tunnel authentication. And mschap requires Cleartext-Password for known good password. Is there any way to substitute such password with an encrypted (e.g. SHA1) string? To your earlier point, I can do the following for PAP (in default or/and inner-tunnel authorize section) to provide with a hashed password: ########## config = ( ('SHA-Password', 'aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d'), ) return (radiusd.RLM_MODULE_OK, reply, config) #########
But the Auth-Type is preset to MSCHAPv2, and the mschap demands for Cleartext, and fails if it does not get it.
Anything I can do to overcome this Cleartext problem?
On a side note, I'd also rather not use SQL or LDAP for proving an encrypted password, but this does not seem to be solving the problem of mschap needing only Cleartext either, unless I am terribly confused
Regards,
Gleb
On Wed, Apr 29, 2020 at 6:02 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 29, 2020, at 5:03 PM, Gleb Lisikh <in4bit.general@gmail.com> wrote:
I'd like to be able to authenticate a user by comparing password provided with the client's authentication request with what's in a password store. It can be easily done by Clear-Text password, of course, but I cannot have a known good password in that password store in Clear-Text form - only encrypted (doesn't really matter how).
It does matter how. FreeRADIUS has to understand the encrypted form in order to authenticate the user.
So ideally, i'd like to get an encrypted password string from a client, and compare it with an encrypted password string retrieved from the known good password store.
RADIUS doesn't work that way.
You can get the clear-text password from the user. It's in the User-Password attribute. You can get the encrypted password from a database such as SQL or LDAP. The "pap" module will then compare the two.
The retrieval of the known good password is done in the python module. And I'd rather not use SQL instead for the Python.
The python module should just hand the encrypted password to FreeRADIUS, and let FreeRADIUS do the work.
See mods-available/pap for documentation on what encrypted formats are supported.
EAP methods encrypt the whole message using the user passwords as a key (as far as I understand it), which complicates the matter...
No. EAP methods do something rather more complex, like TLS.
Alan DeKok.
On May 2, 2020, at 1:24 PM, Gleb Lisikh <in4bit.general@gmail.com> wrote:
I was able to overcome the need for Cleartext password in MSCHAPv2 EAP inner tunnel authentication by adding python to /usr/local/etc/raddb/sites-enabled/inner-tunnel, as well as returning NT-Password in the config return. No other types of hashing have been otherwise recognized by mschap.
Yes, that's what you were told.
It seems like a workable solution for now, unless this would be considered as not in line with best practices and/or will have some undesirable consequences.
As said before, Cleartext-Password and NT-Password are your only options. As such, using them is necessary. This isn't about "best practices" or "undesirable consequences". Nothing else works, so these are your *only* practices. Alan DeKok.
participants (3)
-
Alan DeKok -
Gleb Lisikh -
Matthew Newton