Password Hashed + Salted before authentication with an embedded script
Ia there a way to embed a python script into freeradius 3 to hash and salt the users password before authenticating to the MS SQL database... We have a USERNAME HASHEDPASSWORD SALT column in our database. I want to be able to compare the two passwords that are both hased before allowing the user to connect...
On Jan 9, 2015, at 10:54 AM, Robert Graham <robert_graham@uhaul.com> wrote:
Ia there a way to embed a python script into freeradius 3 to hash and salt the users password before authenticating to the MS SQL database…
Yes. But you don’t want to do it.
We have a USERNAME HASHEDPASSWORD SALT column in our database. I want to be able to compare the two passwords that are both hased before allowing the user to connect...
FreeRADIUS is an authentication server. It can handle hashed passwords. What format are the hashed passwords using? You should be able to configure FreeRADIUS to read the passwords from SQL, and then do the authentication itself. That will be a LOT simpler and faster than writing a python script. Alan DeKok.
I believe it is SHA-2 for PCI compliance reasons, and from what I have read Freeradius cannot do SHA-2, yet.... I will go check with the db admin for the logins and make sure FreeRadius users mailing list <freeradius-users@lists.freeradius.org> writes:
FreeRADIUS is an authentication server. It can handle hashed passwords.
On Jan 9, 2015, at 11:44 AM, Robert Graham <robert_graham@uhaul.com> wrote:
I believe it is SHA-2 for PCI compliance reasons, and from what I have read Freeradius cannot do SHA-2, yet....
Version 3 does SHA2. It’s probably useful to back-port that to version 2. Alan DeKok.
On Fri, Jan 09, 2015 at 09:44:34AM -0700, Robert Graham wrote:
I believe it is SHA-2 for PCI compliance reasons, and from what I have read Freeradius cannot do SHA-2, yet....
In rlm_pap: commit 5e1c9e1c55157d9774d539d8f9b1e2f4124e75b6 Author: Arran Cudbard-Bell <a.cudbardb@freeradius.org> Date: Thu Feb 6 15:50:28 2014 +0000 Add support for SHA-2 digests Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Matthew, I apologize for my lack of understanding.. In what config file does that paricular command get entered... Robert Graham Network Engineer U-Haul International 2727 N. Central Ave Phoenix, AZ 85004 FreeRadius users mailing list <freeradius-users@lists.freeradius.org> writes:
On Fri, Jan 09, 2015 at 09:44:34AM -0700, Robert Graham wrote:
I believe it is SHA-2 for PCI compliance reasons, and from what I have read Freeradius cannot do SHA-2, yet....
In rlm_pap:
commit 5e1c9e1c55157d9774d539d8f9b1e2f4124e75b6 Author: Arran Cudbard-Bell <a.cudbardb@freeradius.org> Date: Thu Feb 6 15:50:28 2014 +0000
Add support for SHA-2 digests
Cheers,
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 9, 2015, at 2:01 PM, Robert Graham <robert_graham@uhaul.com> wrote:
I apologize for my lack of understanding.. In what config file does that paricular command get entered…
You don’t. SHA2 was added for version 3, as I said. If you want SHA2 support for version 2, we can do that. Which version are you running? Alan DeKok.
Oh nevermind then, Im running 3.0.6.... Thanks Alan, No wonder I couldnt find any documentation on it. Robert Graham Network Engineer U-Haul International 2727 N. Central Ave Phoenix, AZ 85004 FreeRadius users mailing list <freeradius-users@lists.freeradius.org> writes:
On Jan 9, 2015, at 2:01 PM, Robert Graham <robert_graham@uhaul.com> wrote:
I apologize for my lack of understanding.. In what config file does that paricular command get entered…
You don’t. SHA2 was added for version 3, as I said. If you want SHA2 support for version 2, we can do that.
Which version are you running?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Jan 09, 2015 at 02:40:04PM -0700, Robert Graham wrote:
Oh nevermind then, Im running 3.0.6....
You should be OK then - it follows the same as all other crypted passwords do in rlm_pap (see the dictionary addition at the top of the commit I sent previously): Pull the password hash from the db into SHA2-Password, then call pap. Or ensure Password-With-Header begins with {sha2} {sha256} or {sha512} followed by the hash, then call pap.
No wonder I couldnt find any documentation on it.
Like many free software projects, the documentation may not be as good as you thought it should be. Feel free to help out! Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 10 Jan 2015, at 04:40, Robert Graham <robert_graham@uhaul.com> wrote:
Oh nevermind then, Im running 3.0.6....
Yeah FreeRADIUS 3.0.6 will work with SHA-224 SHA-256 SHA-384 and SHA-512. It can produce hashes for SHA-256 and SHA-512 (using xlat expansions). For SHA2 must be built with OpenSSL whereas, we fallback to our own internal implementations of SHA1 and MD5 if OpenSSL isn't available. Looking through the code it doesn't support SSHA2, because the SHA-2 digest is chosen automatically based on the digest length, and adding a random length salt messes that up. Think the idea was to add a Salt-Length attribute, to avoid adding the 8 additional attributes required for the salt and unsalted version of each of the SHA2 hashes, but after seeing how many issues relatively simple changes like removing Auth-Type from LDAP caused, I think it'd probably be best to stick with the current scheme and add: sha224-password ssha224-password sha256-password ssh256-password sha384-password ssha384-password sha512-password ssha512-password We can still keep sha2-password, and still do the autodetection there, but we can't support a salted variant. I'm generally against backporting features to a version which has been 'feature frozen'. This case is no exception. If we're going to make policies regarding merging features we should stick to them. Backporting the SHA2 changes is not risk free, as there's some changes to how we initialise libssl to get access to all the EVP hashing functions which were not used before SHA2 support was added. Sounds like this discussion is irrelevant as OP doesn't require SHA2 anyway, but I would be curious if they require SSHA2 support, and what the FIPS guidelines say on salting the hashes, and whether that's vital. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Sounds like this discussion is irrelevant as OP doesn't require SHA2
* in v2.x.x
anyway,
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Sat, Jan 10, 2015 at 08:27:26AM +0700, Arran Cudbard-Bell wrote:
On 10 Jan 2015, at 04:40, Robert Graham <robert_graham@uhaul.com> wrote:
Oh nevermind then, Im running 3.0.6....
Yeah FreeRADIUS 3.0.6 will work with SHA-224 SHA-256 SHA-384 and SHA-512.
Have just done a pull request to bring the rlm_pap man page into the current decade (though I think NS-MTA-MD5-Password and LM-Password count against that, but included for completeness). https://github.com/FreeRADIUS/freeradius-server/pull/870 Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 10 Jan 2015, at 09:16, Matthew Newton <mcn4@LEICESTER.AC.UK> wrote:
On Sat, Jan 10, 2015 at 08:27:26AM +0700, Arran Cudbard-Bell wrote:
On 10 Jan 2015, at 04:40, Robert Graham <robert_graham@uhaul.com> wrote:
Oh nevermind then, Im running 3.0.6....
Yeah FreeRADIUS 3.0.6 will work with SHA-224 SHA-256 SHA-384 and SHA-512.
Have just done a pull request to bring the rlm_pap man page into the current decade (though I think NS-MTA-MD5-Password and LM-Password count against that, but included for completeness).
Thanks, merged. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Matthew Newton -
Robert Graham