Problem using hased passwords
Hi, I am trying to use a hased password, but I get the error: pap: ERROR: SHA1 digest does not match "known good" digest from the eap_gtc module. According to the compatibility matrix this should work. My setup: users file: user SHA-Password := "<SHA sum of the password, not salted>" Log: (31) files: users: Matched entry misch3 at line 101 (31) [files] = ok (...) (31) pap: Normalizing SHA-Password from hex encoding, 40 bytes -> 20 bytes (31) pap: WARNING: Auth-Type already set. Not setting to PAP (31) [pap] = noop (31) } # authorize = updated (31) eap_gtc: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (31) eap_gtc: Auth-Type PAP { (31) pap: Login attempt with password (31) pap: Comparing with "known-good" SHA-Password (31) pap: ERROR: SHA1 digest does not match "known good" digest (31) pap: Passwords don't match (31) eap_gtc: [pap] = reject (31) eap_gtc: } # Auth-Type PAP = reject Any ideas? I double checked the passwords and the SHA sum on both ends. Michael.
On Jun 30, 2023, at 6:46 AM, Michael Schwartzkopff via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am trying to use a hased password, but I get the error:
pap: ERROR: SHA1 digest does not match "known good" digest
from the eap_gtc module.
According to the compatibility matrix this should work.
Hmm, yes. It should work. I do this: update control { &SHA1-Password := "%{sha1:hello}" } pap.authenticate ... And the debug output shows: Fri Jun 30 07:25:14 2023 : Debug: (0) pap: Login attempt with password "hello" (5) Fri Jun 30 07:25:14 2023 : Debug: (0) pap: Comparing with "known-good" SHA-Password Fri Jun 30 07:25:14 2023 : Debug: (0) pap: User authenticated successfully Fri Jun 30 07:25:14 2023 : Debug: (0) modsingle[authenticate]: returned from pap (rlm_pap) Fri Jun 30 07:25:14 2023 : Debug: (0) [pap] = ok Fri Jun 30 07:25:14 2023 : Debug: (0) } # authenticate = ok I'm not sure what else is going on Maybe change SHA-Password to SHA1-Password? I ran into an issue here related to that which might affect it. I'll try to track that down. Alan DeKok.
On 30.06.23 13:26, Alan DeKok wrote:
On Jun 30, 2023, at 6:46 AM, Michael Schwartzkopff via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am trying to use a hased password, but I get the error:
pap: ERROR: SHA1 digest does not match "known good" digest
from the eap_gtc module.
According to the compatibility matrix this should work. Hmm, yes. It should work.
I do this:
update control { &SHA1-Password := "%{sha1:hello}" } pap.authenticate ...
Thanks. That solved the problem. I calculated the SHA sum for my password incorrect. Next question: How can I define a salted hash password in the users file? I did not find anything useful in the docs. openssl passwd -5 -salt salt hello $5$salt$ZYXsK0pxpaRWBUweKuToC90TC/15c9Iz8u3SGLTaS4D How can I enter this string as password in FR? What attribute do I assign it? The Password-With-Header complains, because there is no {...} header. SSHA-Password? Will FR interpete $5$salt$.... correctly? Michael
On Jun 30, 2023, at 7:59 AM, Michael Schwartzkopff via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Thanks. That solved the problem. I calculated the SHA sum for my password incorrect.
OK. I'll try to track down why that happens.
Next question: How can I define a salted hash password in the users file? I did not find anything useful in the docs.
openssl passwd -5 -salt salt hello $5$salt$ZYXsK0pxpaRWBUweKuToC90TC/15c9Iz8u3SGLTaS4D
How can I enter this string as password in FR? What attribute do I assign it? The Password-With-Header complains, because there is no {...} header. SSHA-Password? Will FR interpete $5$salt$.... correctly?
SSHA1-Password should work. FreeRADIUS will hand the salt stuff to the various crypto libraries, which will Do The Right Thing. Alan DeKok.
participants (2)
-
Alan DeKok -
Michael Schwartzkopff