pptpd+freeradius+ldap: which password encryption can I use?
Hi Everybody, I'm trying to setup a PPTPD server which would authenticate users using my openLDAP user database, in doing so I need freeradius. By now the only setup that actually works is: users in LDAP with clear text password. Obviously I want to use some kind of encryption for passwords and I don't like the solution of using cleartext passwords and the use of a specific user allowed to access to the password attribute, so my question is: which other possibilities I have? Looking to this table http://deployingradius.com/documents/protocols/compatibility.html I understand that I can use pap + sha1 but I can't understand how. Can anyone help me understand what is possible and what not? Many thanks Alberto
Alberto Aldrigo wrote:
I'm trying to setup a PPTPD server which would authenticate users using my openLDAP user database, in doing so I need freeradius. By now the only setup that actually works is: users in LDAP with clear text password.
What kind of authentication method is PPTPD using? You can tell by looking at the FreeRADIUS debug log... which is suggested daily on this list.
Obviously I want to use some kind of encryption for passwords and I don't like the solution of using cleartext passwords and the use of a specific user allowed to access to the password attribute, so my question is: which other possibilities I have? Looking to this table http://deployingradius.com/documents/protocols/compatibility.html I understand that I can use pap + sha1 but I can't understand how. Can anyone help me understand what is possible and what not?
You're really asking the wrong question. If the only thing that works is LDAP with clear-text passwords, then the authentication method doesn't support encrypted passwords. That's why the web page says it's *IMPOSSIBLE*. Because, well, it's impossible. What other conclusion did you reach after reading that page? Alan DeKok.
On 04/30/2013 06:11 AM, Alberto Aldrigo wrote:
Hi Everybody,
I'm trying to setup a PPTPD server which would authenticate users using my openLDAP user database, in doing so I need freeradius. By now the only setup that actually works is: users in LDAP with clear text password. Obviously I want to use some kind of encryption for passwords and I don't like the solution of using cleartext passwords and the use of a specific user allowed to access to the password attribute, so my question is: which other possibilities I have? Looking to this table http://deployingradius.com/documents/protocols/compatibility.html I understand that I can use pap + sha1 but I can't understand how. Can anyone help me understand what is possible and what not? Many thanks
cleartext passwords should work for most everything as shown in the compatibility table, if it's not you've broken something. You other option is to hash your passwords, refer to the table for what will work, you'll probably need to prefix your password values with a scheme prefix. However hashing is *not* encryption nor is hashing secure. Do not depend on hashing to provide protection! Most hashes can be broken easily, This is especially true if they can be retrieved for offline cracking which is the gift you're giving your attacker if you don't lock down your password attributes. Bottom line, there is no short-cut or excuse not to lock down password attributes with ACL's such that only a select subset of users can see them (e.g. radiusd, root). -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
participants (3)
-
Alan DeKok -
Alberto Aldrigo -
John Dennis