Authenticate against FreeIPA PBKDF2_SHA256
Hello, I would like to authenticate against our FreeIPA servers. The problem is that our passwords are stored in the following format: PBKDF2_SHA256 FreeRADIUS did not support this at all until version 3.0.22 [1]. The functionality has been merged into the v3.0.x branch in September 2020. Unfortonately it still does not work in 3.0.22 with FreeIPA passwords. The example-password I'm trying to authenticate against has the following content: {PBKDF2_SHA256}AAAIAEwR4+gKWf4IQAoqJWD7qwaUtanUiuYCJzD7ISaOwuvoBE4Ltq58p7hF4Or32gz2vrbGcD9JL7hUHoswrqGFlgCvDSNZD9MmuNePPk5SK/G3OdBMjZ6/6ioy5WJjKToPkE4cwsxL3F7nq0XzjvhzF9muy7I5HHSFYxxYCE92xk03JHi2Q1dlKqdsMDxF6wa50JO3aoVD6ZfqYr3It+JxzQTKrUS5JxHetbBdmm3WEhuMf4kgwfsCstE55kYfQCvB94D9Ro5s05MOgQulX9VyvOTB0xugOii290gLUssX1/qkacHVabTbA252kdxfguonASGEX7mpjJRskubgTHFadJ5i5TfodqvxJ/cghMaxZ1rkHXTZ9fBXxNZHltYHZVexhV3sJOq3Cq3eyvVuLfp3qwixPBJBWDC3Wv/mCSzdW5v6 When I try to authenticate against it, it shows the following error when running freeradius -X: (1) pap: Unknown header {PBKDF2_SHA256} in Password-With-Header, re-writing to Cleartext-Password (1) pap: Removing &control:Password-With-Header (1) [pap] = updated (1) } # authorize = updated (1) Found Auth-Type = PAP (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) Auth-Type PAP { (1) pap: Login attempt with password (1) pap: Comparing with "known good" Cleartext-Password (1) pap: ERROR: Cleartext password does not match "known good" password What I don't understand is, that FreeRADIUS says "Unknown header", although the PBKDF2_SHA256 support seems to be implemented. Is there anything wrong with my configration or is there still something wrong with the implementation of those kinds of hashes in FreeRADIUS? If I'd know C, I would love to help implementing the support. Maybe someone can help me with that. Cheers, Marc Sauer [1]: https://github.com/FreeRADIUS/freeradius-server/issues/2649 -- Marc Sauer Linux Systems Administrator Kunsthochschule für Medien Köln/ Academy of Media Arts Cologne Peter-Welter-Platz 2 50676 Köln https://www.khm.de https://en.khm.de tel: +49 221 20189 - 239 business mobile: +49 151 74230781
On Apr 7, 2021, at 8:27 AM, Marc Sauer <m.sauer@khm.de> wrote:
I would like to authenticate against our FreeIPA servers. The problem is that our passwords are stored in the following format:
PBKDF2_SHA256
That's not supported. v3 supports PBKDF2 with various HMACs. See src/modules/rlm_pap/rlm_pap.c
FreeRADIUS did not support this at all until version 3.0.22 [1]. The functionality has been merged into the v3.0.x branch in September 2020.
Unfortonately it still does not work in 3.0.22 with FreeIPA passwords.
The example-password I'm trying to authenticate against has the following content:
{PBKDF2_SHA256}AAAIAEwR4+g...
That isn't supported. It's probably not hard to add, but... there's a ton of variants.
When I try to authenticate against it, it shows the following error when running freeradius -X:
(1) pap: Unknown header {PBKDF2_SHA256} in Password-With-Header, re-writing to Cleartext-Password
That seems pretty clear: "Unknown header".
What I don't understand is, that FreeRADIUS says "Unknown header", although the PBKDF2_SHA256 support seems to be implemented.
What makes you say that? PBKDF2 is a whole family of password formats. Which means that each one has to be supported explicitly.
Is there anything wrong with my configration or is there still something wrong with the implementation of those kinds of hashes in FreeRADIUS?
The error message is clear: "Unknown header". It does NOT say "found known header, and then the password didn't match".
If I'd know C, I would love to help implementing the support.
We'll take a look, but we can't promise any particular time frame. Alan DeKok.
participants (2)
-
Alan DeKok -
Marc Sauer