Crypt Passwords in SQL
Greetings, First, Thanks Alan DeKok. That was exactly what I needed for NAS_Showt_Name. Second, I just discovered a new issue. Not sure if this is a radius or a MySQL issue. When I crypt a password (MySQL CRYPT command) the password matches anything and everything that matches the first 8 characters of the password. Is this a limitation of Radius crypt or is it a Mysql crypt ? I need 16+ character password that match. Wm
On Wed, Nov 17, 2010 at 04:15:47PM -0500, William wrote:
Greetings, First, Thanks Alan DeKok. That was exactly what I needed for NAS_Showt_Name.
Second, I just discovered a new issue. Not sure if this is a radius or a MySQL issue.
When I crypt a password (MySQL CRYPT command) the password matches anything and everything that matches the first 8 characters of the password.
Is this a limitation of Radius crypt or is it a Mysql crypt ? I need 16+ character password that match.
Wm
Crypt has an 8 character limit in its specification. Some screwy systems play tricks like using the first 7 chars + the last char of a string longer than 8 chars (MacOS) instead of just the first 8, but it is still eight chars. You will need to use another encoding system for more characters. Cheers, Ken
On Wednesday, November 17, 2010 04:24:32 pm Kenneth Marshall wrote:
On Wed, Nov 17, 2010 at 04:15:47PM -0500, William wrote:
Greetings,
First, Thanks Alan DeKok. That was exactly what I needed for
NAS_Showt_Name.
Second, I just discovered a new issue. Not sure if this is a radius or a
MySQL issue.
When I crypt a password (MySQL CRYPT command) the password matches anything and everything that matches the first 8 characters of the password.
Is this a limitation of Radius crypt or is it a Mysql crypt ? I need 16+ character password that match.
Wm
Crypt has an 8 character limit in its specification. Some screwy systems play tricks like using the first 7 chars + the last char of a string longer than 8 chars (MacOS) instead of just the first 8, but it is still eight chars. You will need to use another encoding system for more characters.
What attribute would I use instead of Crypt-Password ? I tried MD5-Password and a couple of others, but I can find no documentation on anything other than User-Password, Crypt-Password, ClearText-Password, and CHAP-Password. Wm
On Wed, Nov 17, 2010 at 05:00:19PM -0500, William wrote:
On Wednesday, November 17, 2010 04:24:32 pm Kenneth Marshall wrote:
On Wed, Nov 17, 2010 at 04:15:47PM -0500, William wrote:
Greetings,
First, Thanks Alan DeKok. That was exactly what I needed for
NAS_Showt_Name.
Second, I just discovered a new issue. Not sure if this is a radius or a
MySQL issue.
When I crypt a password (MySQL CRYPT command) the password matches anything and everything that matches the first 8 characters of the password.
Is this a limitation of Radius crypt or is it a Mysql crypt ? I need 16+ character password that match.
Wm
Crypt has an 8 character limit in its specification. Some screwy systems play tricks like using the first 7 chars + the last char of a string longer than 8 chars (MacOS) instead of just the first 8, but it is still eight chars. You will need to use another encoding system for more characters.
What attribute would I use instead of Crypt-Password ? I tried MD5-Password and a couple of others, but I can find no documentation on anything other than User-Password, Crypt-Password, ClearText-Password, and CHAP-Password.
Wm
Crypt-Password just holds the encrypted password. It is up to you to properly encrypt the password and use it. You just cannot use the MySQL crypt() function since it has an 8-char password limit. Ken
On Thursday, November 18, 2010 09:40:26 am Kenneth Marshall wrote:
On Wed, Nov 17, 2010 at 05:00:19PM -0500, William wrote:
On Wednesday, November 17, 2010 04:24:32 pm Kenneth Marshall wrote:
On Wed, Nov 17, 2010 at 04:15:47PM -0500, William wrote:
Greetings,
First, Thanks Alan DeKok. That was exactly what I needed for
NAS_Showt_Name.
Second, I just discovered a new issue. Not sure if this is a radius or a
MySQL issue.
When I crypt a password (MySQL CRYPT command) the password matches anything and everything that matches the first 8 characters of the password.
Is this a limitation of Radius crypt or is it a Mysql crypt ? I need 16+ character password that match.
Wm
Crypt has an 8 character limit in its specification. Some screwy systems play tricks like using the first 7 chars + the last char of a string longer than 8 chars (MacOS) instead of just the first 8, but it is still eight chars. You will need to use another encoding system for more characters.
What attribute would I use instead of Crypt-Password ? I tried MD5-Password and a couple of others, but I can find no documentation on anything other than User-Password, Crypt-Password, ClearText-Password, and CHAP-Password.
Wm
Crypt-Password just holds the encrypted password. It is up to you
I tried a MD5 password of "testpassword" so that table has: ID|username|attribute...................|op..|value. 1 | testuser | Crypt-Password | == | e16b2ab8d12314bf4efbd6203906ea6c using SQL command that contained: SET `value` = MD5( 'testpassword' ) Radius claims the password is incorrect when I test it. ** Result from radius -X: (attribute set to CRYPT-Password) <snip> +- entering group PAP {...} [pap] login attempt with password "testpassword" [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Login incorrect (rlm_pap: CRYPT password check failed): [testuser/testpassword] (from client Local2 port 12) **Result from radiusd -X: (attribute set to MD5-Password) [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [testuser/testpassword] (from client Local2 port 12) Using Post-Auth-Type Reject I tried with attribute as MD5-Password. I've read the man rlm_pap man-file. I saw the section marked Header. How/where do I need to add that? or is it auto-magic? I even tried {md5}<encrypted password here> still claoms php can't find a known good password. I tried with pap's auto-header set to yes... Nothing seems to work. Any pointers or suggestions? Wm
participants (2)
-
Kenneth Marshall -
William