encrypted passwords in users file
Hi all, Is it possible to keep encrypted passwords in users file? For e.g. test Cleartext-Password := "test" Service-type = NAS-Prompt-User instead of cleartext can we have encrypted passwords here. Thanks. On Thu, Mar 13, 2008 at 4:32 PM, < freeradius-users-owner@lists.freeradius.org> wrote:
You are not allowed to post to this mailing list, and your message has been automatically rejected. If you think that your messages are being rejected in error, contact the mailing list owner at freeradius-users-owner@lists.freeradius.org.
---------- Forwarded message ---------- From: "ashish verma" <ashish.scit@gmail.com> To: freeradius-users@lists.freeradius.org Date: Thu, 13 Mar 2008 16:32:21 +0530 Subject: encrypted passwords in users file Hi all,
Is it possible to keep encrypted passwords in users file?
For e.g. test Cleartext-Password := "test" Service-type = NAS-Prompt-User
instead of cleartext can we have encrypted passwords here.
Thanks.
On Tue, Oct 23, 2007 at 2:03 PM, < freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Are SHA-256 certificates supported? (hannu.lammi@wipsl.com) 2. Re: Freeradius doesn't detect EAP when authenticating against MySQL (Alan DeKok) 3. Re: TTLS with Mutual Authentication (Alan DeKok) 4. Re: Are SHA-256 certificates supported? (Alan DeKok) 5. FreeRADIUS and SNMP questions (Geoffroy Arnoud) 6. Re: Freeradius doesn't detect EAP when authenticating against MySQL (primoz) 7. Re: FreeRADIUS and SNMP questions (Alan DeKok) 8. Re: Freeradius doesn't detect EAP when authenticating against MySQL (Alan DeKok)
----------------------------------------------------------------------
Message: 1 Date: Tue, 23 Oct 2007 10:10:05 +0300 (EEST) From: hannu.lammi@wipsl.com Subject: Are SHA-256 certificates supported? To: freeradius-users@lists.freeradius.org Message-ID: <14671.192.100.116.143.1193123405.squirrel@mail.wipsl.com> Content-Type: text/plain;charset=utf-8
Hi,
I need to set up a RADIUS server that accepts certificates which use SHA-256 as signature algorithm (OID sha256WithRSAEncryption). I have set up a FreeRADIUS 2.0.0-pre2 server to see if this would work out of the box.
After verifying that EAP-TLS authentication works with SHA-1 certificates I switched to SHA-256 certificate that was created with OpenSSL 0.9.8b, the same that FreeRADIUS was compiled against.
Here's a snippet of the log I got from my SHA-256 test:
===== --> verify error:num=7:certificate signature failure rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm =====
It would seem there's a problem somewhere. It may very well be in the client I'm using.
So, I'd like to know if FreeRADIUS supports SHA-256 certificates? If it doesn't, is the support for them planned?
thanks in advance, - Hannu
------------------------------
Message: 2 Date: Tue, 23 Oct 2007 09:12:03 +0200 From: Alan DeKok <aland@deployingradius.com> Subject: Re: Freeradius doesn't detect EAP when authenticating against MySQL To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <471D9EC3.4090609@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1
preem wrote:
So, what is a common practice to do this then?
It's not.
People store MD5 or crypt'd passwords when the ONLY authentication they're doing is PAP. i.e. Unix logins, where the user supplies a clear-text password to the authentication system.
For many EAP types, people do NOT store MD5 or crypt'd passwords, because they're useless.
I understand its not very safe nor sane to store passwords in clear text, thats why I wanted to avoid that, however it seems inevitable.
It is safe, sane, and common practice to store passwords in clear text.
I am managing a wired network for some 300 users, its a student dorm and the university owns the network and they require authentication for the ease of management and control. 802.1x felt like the right way to go, because we are planning some wireless access points as well. There are HP's Procurve 2650 switches in use. I choose mysql db backend, because I also created set of PHP scripts, where users can change their passwords and admin can add/del/modify user info. So what can one do to avoid storing passes in clear text or is it sane enough? The server also serves some web pages and dhcp requests.
Ensure that no one has physical access to the system storing the passwords. Ensure that no one has network access to the system storing the passwords.
I would also suggest running the RADIUS server and/or the MySQL server with passwords on a separate machine from the web/dhcp server. That way, if someone breaks into the web server, they won't have access to the passwords.
Alan DeKok.
------------------------------
Message: 3 Date: Tue, 23 Oct 2007 09:23:50 +0200 From: Alan DeKok <aland@deployingradius.com> Subject: Re: TTLS with Mutual Authentication To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <471DA186.5030601@deployingradius.com> Content-Type: text/plain; charset=UTF-8
Zolotov, Eyal wrote:
By ?mutual authentication? I refer to the following authentication process:
1. The client authenticate the server
Give the client the CA cert used to sign the server cert.
2. The server authenticate the client
Create a client cert, signed by the server cert.
3. Only than ? the clients sends username + password using MSCHAPv2
In unlang, set:
update control { EAP-TLS-Require-Client-Cert = yes }
This forces the server to validate the client cert, which is normally not required for TTLS.
Alan DeKok.
------------------------------
Message: 4 Date: Tue, 23 Oct 2007 09:25:33 +0200 From: Alan DeKok <aland@deployingradius.com> Subject: Re: Are SHA-256 certificates supported? To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <471DA1ED.9050806@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1
hannu.lammi@wipsl.com wrote:
I need to set up a RADIUS server that accepts certificates which use SHA-256 as signature algorithm (OID sha256WithRSAEncryption). I have set up a FreeRADIUS 2.0.0-pre2 server to see if this would work out of the box.
If OpenSSL supports it, AND the client supplicant supports it, it should work.
Here's a snippet of the log I got from my SHA-256 test:
===== --> verify error:num=7:certificate signature failure rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
That would seem to be an SSL issue.
So, I'd like to know if FreeRADIUS supports SHA-256 certificates? If it doesn't, is the support for them planned?
FreeRADIUS doesn't support SSL. It uses OpenSSL, which *does* support SSL. So if there are SSL issues, find out why OpenSSL doesn't like the TLS session.
Alan DeKok.
------------------------------
Message: 5 Date: Tue, 23 Oct 2007 10:04:23 +0200 (CEST) From: Geoffroy Arnoud <garnoud@yahoo.co.uk> Subject: FreeRADIUS and SNMP questions To: FreeRADIUS users <freeradius-users@lists.freeradius.org> Message-ID: <626622.60897.qm@web27314.mail.ukl.yahoo.com> Content-Type: text/plain; charset=iso-8859-1
Hi all,
I have 2 questions regarding FreeRADIUS and SNMP:
1/ Is it possible to run 2 FreeRADIUS servers on the same box, with SNMP support activated? I understand it's possible, using distinct values for smux_password parameter.
2/ Connecting FreeRADIUS to Net-SNMP using SMUX is quite easy. Has anyone connected FreeRADIUS with BMC PAtrol agent using SMUX?
Thanks for any answer
Geoff.
_____________________________________________________________________________ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail
------------------------------
Message: 6 Date: Tue, 23 Oct 2007 10:08:22 +0200 From: primoz <primski@gmail.com> Subject: Re: Freeradius doesn't detect EAP when authenticating against MySQL To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <ead364dc0710230108u752b2593h4a7885ca04e61ce7@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1"
On 10/23/07, Alan DeKok <aland@deployingradius.com> wrote:
preem wrote:
So, what is a common practice to do this then?
It's not.
People store MD5 or crypt'd passwords when the ONLY authentication they're doing is PAP. i.e. Unix logins, where the user supplies a clear-text password to the authentication system.
And PAP is not very safe and smart way to go as i read it.
For many EAP types, people do NOT store MD5 or crypt'd passwords,
because they're useless.
So, crypted passwords are usefull only in web applications? I read a lot lately about, how one should never store passwords in clear text, i guess that applies only to web apps.
I understand its not very
safe nor sane to store passwords in clear text, thats why I wanted to avoid that, however it seems inevitable.
It is safe, sane, and common practice to store passwords in clear text.
I do not have many experience with this, in fact its my first project on the matter.
I am managing a wired network for some 300 users, its a student dorm and the
university owns the network and they require authentication for the ease of management and control. 802.1x felt like the right way to go, because we are planning some wireless access points as well. There are HP's Procurve 2650 switches in use. I choose mysql db backend, because I also created set of PHP scripts, where users can change their passwords and admin can add/del/modify user info. So what can one do to avoid storing passes in clear text or is it sane enough? The server also serves some web pages and dhcp requests.
Ensure that no one has physical access to the system storing the passwords. Ensure that no one has network access to the system storing the passwords.
That will be no problem, since I'm the only one with physical access.
I would also suggest running the RADIUS server and/or the MySQL server
with passwords on a separate machine from the web/dhcp server. That way, if someone breaks into the web server, they won't have access to the passwords.
I am using VMWare server, so that won't require much work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks again, for clearing this up.
primski
Yes. Just use appropriate password attribute (Crypt-Password for crypt encrypted passwords, MD5-Password for md5 ecrypted passwords etc.). It will work for pap requests, as for others: http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP Dana 13/3/2008, "ashish verma" <ashish.scit@gmail.com> piše:
Hi all,
Is it possible to keep encrypted passwords in users file?
For e.g. test Cleartext-Password := "test" Service-type = NAS-Prompt-User
instead of cleartext can we have encrypted passwords here.
Thanks.
hi, i want to disconnect user at midnight. So I've read the April 2004's forum and found some solutions. But there isn't anything about where to put Session-Timeout attribute. I've tried to put into users file. DEFAULT Group := 'static', Session-Timeout := `%{expr: ((%l + 86399) %% 86400) - %l}` Service-Type == Framed-User ... It didn't return Session-Timeout. But when I remove Group section from users file then it returns Session-Timeout. Also I've tried to put this into expr section in the radiusd.conf. Then put expr into authorize section. But it says authorize section couldn't read expr. How can I do this? I want to put this attribute into mysql radgroupreply table. What should I enter in the Value field?
Try SQL-Group == "static" in user file entry. You are not using Unix groups. Ivan Kalik Kalik Informatika ISP Dana 2/4/2008, "javkhlanbaatar@newcomsystems.mn" <javkhlanbaatar@newcomsystems.mn> piše:
hi,
i want to disconnect user at midnight. So I've read the April 2004's forum and found some solutions. But there isn't anything about where to put Session-Timeout attribute. I've tried to put into users file.
DEFAULT Group := 'static', Session-Timeout := `%{expr: ((%l + 86399) %% 86400) - %l}` Service-Type == Framed-User ...
It didn't return Session-Timeout. But when I remove Group section from users file then it returns Session-Timeout.
Also I've tried to put this into expr section in the radiusd.conf. Then put expr into authorize section. But it says authorize section couldn't read expr.
How can I do this?
I want to put this attribute into mysql radgroupreply table. What should I enter in the Value field?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The result is still same. It doesn't return Session-Timeout. How would be the Value field in radgroupreply, if I tried to use mysql table instead of users file.
Try SQL-Group == "static" in user file entry. You are not using Unix groups.
Ivan Kalik Kalik Informatika ISP
Dana 2/4/2008, "javkhlanbaatar@newcomsystems.mn" <javkhlanbaatar@newcomsystems.mn> pi¹e:
hi,
i want to disconnect user at midnight. So I've read the April 2004's forum and found some solutions. But there isn't anything about where to put Session-Timeout attribute. I've tried to put into users file.
DEFAULT Group := 'static', Session-Timeout := `%{expr: ((%l + 86399) %% 86400) - %l}` Service-Type == Framed-User ...
It didn't return Session-Timeout. But when I remove Group section from users file then it returns Session-Timeout.
Also I've tried to put this into expr section in the radiusd.conf. Then put expr into authorize section. But it says authorize section couldn't read expr.
How can I do this?
I want to put this attribute into mysql radgroupreply table. What should I enter in the Value field?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry, I didn't notice that Session-Timeout is on the same line as the Group. It shouldn't be there but as one of the reply lines. Ivan Kalik Kalik Informatika ISP Dana 3/4/2008, "javkhlanbaatar@newcomsystems.mn" <javkhlanbaatar@newcomsystems.mn> piše:
The result is still same. It doesn't return Session-Timeout. How would be the Value field in radgroupreply, if I tried to use mysql table instead of users file.
Try SQL-Group == "static" in user file entry. You are not using Unix groups.
Ivan Kalik Kalik Informatika ISP
Dana 2/4/2008, "javkhlanbaatar@newcomsystems.mn" <javkhlanbaatar@newcomsystems.mn> piše:
hi,
i want to disconnect user at midnight. So I've read the April 2004's forum and found some solutions. But there isn't anything about where to put Session-Timeout attribute. I've tried to put into users file.
DEFAULT Group := 'static', Session-Timeout := `%{expr: ((%l + 86399) %% 86400) - %l}` Service-Type == Framed-User ...
It didn't return Session-Timeout. But when I remove Group section from users file then it returns Session-Timeout.
Also I've tried to put this into expr section in the radiusd.conf. Then put expr into authorize section. But it says authorize section couldn't read expr.
How can I do this?
I want to put this attribute into mysql radgroupreply table. What should I enter in the Value field?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
It is all same. It didn't return SessionTimeout. my radgroupreply table: id Groupname Attribute Value op 1 static Session-Timeout := ? What should be instead of ?. I want to enter result of the expressions like `%{expr: ((%l + 86399) %% 86400) - %l}`. How can I make it? Also, in the debug mode, how can I shorten debugs. I mean, I want to get only access-accept, access-reject, access-request packets, not any others (like entering sql, expanding user etc.,). Help please
Sorry, I didn't notice that Session-Timeout is on the same line as the Group. It shouldn't be there but as one of the reply lines.
Ivan Kalik Kalik Informatika ISP
Dana 3/4/2008, "javkhlanbaatar@newcomsystems.mn" <javkhlanbaatar@newcomsystems.mn> pi¹e:
The result is still same. It doesn't return Session-Timeout. How would be the Value field in radgroupreply, if I tried to use mysql table instead of users file.
Try SQL-Group == "static" in user file entry. You are not using Unix groups.
Ivan Kalik Kalik Informatika ISP
Dana 2/4/2008, "javkhlanbaatar@newcomsystems.mn" <javkhlanbaatar@newcomsystems.mn> pi¹e:
hi,
i want to disconnect user at midnight. So I've read the April 2004's forum and found some solutions. But there isn't anything about where to put Session-Timeout attribute. I've tried to put into users file.
DEFAULT Group := 'static', Session-Timeout := `%{expr: ((%l + 86399) %% 86400) - %l}` Service-Type == Framed-User ...
It didn't return Session-Timeout. But when I remove Group section from users file then it returns Session-Timeout.
Also I've tried to put this into expr section in the radiusd.conf. Then put expr into authorize section. But it says authorize section couldn't read expr.
How can I do this?
I want to put this attribute into mysql radgroupreply table. What should I enter in the Value field?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What should be instead of ?. I want to enter result of the expressions like `%{expr: ((%l + 86399) %% 86400) - %l}`. How can I make it?
Try just: ((%l + 86399) %% 86400) - %l
Also, in the debug mode, how can I shorten debugs. I mean, I want to get only access-accept, access-reject, access-request packets, not any others (like entering sql, expanding user etc.,). Help please
-x will produce shortest debug, -xx longer, -xxx even more, etc. What you are asking for is not debug but radtest output. Ivan Kalik Kalik Informatika ISP
I've tried but it doesn't work. also i've tried to put this expression into modules section under expr{}. Then i've added expr to the authorize section. But in authorize section, there mustn't be any expressions. :( Please help
What should be instead of ?. I want to enter result of the expressions like `%{expr: ((%l + 86399) %% 86400) - %l}`. How can I make it?
Try just:
((%l + 86399) %% 86400) - %l
Also, in the debug mode, how can I shorten debugs. I mean, I want to get only access-accept, access-reject, access-request packets, not any others (like entering sql, expanding user etc.,). Help please
-x will produce shortest debug, -xx longer, -xxx even more, etc. What you are asking for is not debug but radtest output.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What doesn't work? Your expression? I don't recongnize %% operator (but I don't use C). Or placing it's value in Session-Timeout? Ivan Kalik Kalik Informatika ISP Dana 16/4/2008, "javkhlanbaatar@newcomsystems.mn" <javkhlanbaatar@newcomsystems.mn> piše:
I've tried but it doesn't work. also i've tried to put this expression into modules section under expr{}. Then i've added expr to the authorize section. But in authorize section, there mustn't be any expressions. :( Please help
What should be instead of ?. I want to enter result of the expressions like `%{expr: ((%l + 86399) %% 86400) - %l}`. How can I make it?
Try just:
((%l + 86399) %% 86400) - %l
Also, in the debug mode, how can I shorten debugs. I mean, I want to get only access-accept, access-reject, access-request packets, not any others (like entering sql, expanding user etc.,). Help please
-x will produce shortest debug, -xx longer, -xxx even more, etc. What you are asking for is not debug but radtest output.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
ashish verma -
Ivan Kalik -
javkhlanbaatar@newcomsystems.mn