Authentication Problem
Im just about at the end of my rope... I have been searching and reading and reading, but cannot get this to work. I have a external ms sql database that has three columns only. member_id, HashedPassword, and Salt. I am trying to authenticate against this database. 1st question is: Do I have to use the schema that is inside freeradius, and if I do not, how do I get FR to auth without using all the tables that are preinstalled in the schema? Unfortunately I am not a sql database guy, im a network guy, and writing db is not my forte.. This is what I have but yet I know it is incorrect. I dont want to use any groups, it is strictly for someone to logon to our vpn and wireless connections. The passwords are stored in SHA-512 with Salt and unicoding. Is it even possible or am I wasting my time? I am running 3.0.6 of FR. These are the only columns in the database. recreating the database isnt likely to happen, having almost 19,000 rows in the table. authorize_check_query = "\ SELECT member_id, HashedPassword, Salt \ FROM ${dbo.vw_Main_table} \ WHERE UserName = '%{SQL-User-Name}'" Robert Graham Network Engineer U-Haul International 2727 N. Central Ave Phoenix, AZ 85004
On 13 Jan 2015, at 06:29, Robert Graham <robert_graham@uhaul.com> wrote:
Im just about at the end of my rope... I have been searching and reading and reading, but cannot get this to work.
I have a external ms sql database that has three columns only. member_id, HashedPassword, and Salt.
I am trying to authenticate against this database.
1st question is: Do I have to use the schema that is inside freeradius,
Yes if you want to use the large amount of logic embedded in the rlm_sql module, if you want to do arbitrary queries, no. rlm_sql was written to emulate the users file. The schema fully represents a users file in SQL, that's what all the logic in rlm_sql is doing, taking SQL data and processing it in a similar way to the users file.
and if I do not, how do I get FR to auth without using all the tables that are preinstalled in the schema?
Unlang update { Tmp-String-0 := "%{sql:SELECT field FROM table WHERE ...}" } It will only get you the first value of the first column, so you'll need to do it three times, or concatenate the column values with commas, and split the string using a regular expression.
This is what I have but yet I know it is incorrect. I dont want to use any groups, it is strictly for someone to logon to our vpn and wireless connections. The passwords are stored in SHA-512 with Salt and unicoding. Is it even possible or am I wasting my time? I am running 3.0.6 of FR. These are the only columns in the database.
If you'd responded to the comment in my previous email: "Sounds like this discussion is irrelevant as OP doesn't require SHA2 in v2.2.x anyway, but I would be curious if they require SSHA2 support, and what the FIPS guidelines say on salting the hashes, and whether that's vital." I would have added support for salted SHA512 last weekend, as it is, no the server doesn't support salted SHA512. I included a basic description of the feature in my previous email, Alan or one of the other development team may add it for you, but I don't have time now.
recreating the database isnt likely to happen, having almost 19,000 rows in the table.
That's a pretty small row set TBH.
authorize_check_query = "\ SELECT member_id, HashedPassword, Salt \ FROM ${dbo.vw_Main_table} \ WHERE UserName = '%{SQL-User-Name}'"
-Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Mon, Jan 12, 2015 at 04:29:27PM -0700, Robert Graham wrote:
This is what I have but yet I know it is incorrect. I dont want to use any groups, it is strictly for someone to logon to our vpn and wireless connections. The passwords are stored in SHA-512 with Salt and unicoding.
Just be aware that if your passwords are SHA-512 you're limiting wireless authentication to something that involves PAP (e.g. EAP/TTLS-PAP), which e.g Windows<8.0 doesn't support natively. Then you're down to something like Arran suggested in inner-tunnel authorize: update control { SHA2-Password := "%{sql:SELECT password FROM table WHERE ...}" } pap Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Matt / Development Team, Would it be possible to integrate Salted SHA-512 into freeradius. I did speak with our contact with the PCI Compliance team and they are saying that the information has to be SHA-512/Salted... In the next few years they are talking about SHA-3 if it gets finalized. I would really appreciate if someone on the team could do this :) Robert Graham Network Engineer U-Haul International 2727 N. Central Ave Phoenix, AZ 85004 FreeRadius users mailing list <freeradius-users@lists.freeradius.org> writes:
On Mon, Jan 12, 2015 at 04:29:27PM -0700, Robert Graham wrote:
This is what I have but yet I know it is incorrect. I dont want to use any groups, it is strictly for someone to logon to our vpn and wireless connections. The passwords are stored in SHA-512 with Salt and unicoding.
Just be aware that if your passwords are SHA-512 you're limiting wireless authentication to something that involves PAP (e.g. EAP/TTLS-PAP), which e.g Windows<8.0 doesn't support natively.
Then you're down to something like Arran suggested
in inner-tunnel authorize:
update control { SHA2-Password := "%{sql:SELECT password FROM table WHERE ...}" } pap
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 14, 2015, at 7:55 PM, Robert Graham <robert_graham@uhaul.com> wrote:
Would it be possible to integrate Salted SHA-512 into freeradius.
Yes.
I did speak with our contact with the PCI Compliance team and they are saying that the information has to be SHA-512/Salted... In the next few years they are talking about SHA-3 if it gets finalized.
I would really appreciate if someone on the team could do this :)
Can you send some sample SSHA passwords? e.g. ones where the password is “test” or “hello”, Include the salt, the hex form of the SHA2 password, the clear-text password, and which SHA method you used. We’ll use that to create test vectors. This code should go into the next release of version 2. Security things like this are OK. Alan DeKok.
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Matthew Newton -
Robert Graham