Hello list, Is it possible to add additional password encryption options to FreeRADIUS so that the user database can be used as a user/password store (For instance PBKDF2 or scrypt)? When I look at "man rlm_pap", the amount of encryption options for passwords are limited when FreeRADIUS is your only user database. I'm creating a POC where users can register for an account to use certain services (accessible via radius authentication) and I'm trying to only use the FreeRADIUS mysql database as a backend to keep it simple, but the password encryption methods aren't considered secure by today's standards. Short of maintaining 2 databases with user information, how are people on the list handling these cases or is my use case a bit out of the ordinary?
On May 25, 2016, at 12:39 PM, Laurens Vets <laurens@daemon.be> wrote:
Hello list,
Is it possible to add additional password encryption options to FreeRADIUS so that the user database can be used as a user/password store (For instance PBKDF2 or scrypt)?
Yeah, some guy submitted code to do that, but it was awful.
When I look at "man rlm_pap", the amount of encryption options for passwords are limited when FreeRADIUS is your only user database. I'm creating a POC where users can register for an account to use certain services (accessible via radius authentication) and I'm trying to only use the FreeRADIUS mysql database as a backend to keep it simple, but the password encryption methods aren't considered secure by today's standards.
What, salted SHA512 isn't considered secure by todays standards? If you don't mind providing some test output PBKDF2 i'll see if I can fix the code I have to not be terrible... -Arran
Hi list,
Is it possible to add additional password encryption options to FreeRADIUS so that the user database can be used as a user/password store (For instance PBKDF2 or scrypt)?
Yeah, some guy submitted code to do that, but it was awful.
When I look at "man rlm_pap", the amount of encryption options for passwords are limited when FreeRADIUS is your only user database. I'm creating a POC where users can register for an account to use certain services (accessible via radius authentication) and I'm trying to only use the FreeRADIUS mysql database as a backend to keep it simple, but the password encryption methods aren't considered secure by today's standards.
What, salted SHA512 isn't considered secure by todays standards?
If you don't mind providing some test output PBKDF2 i'll see if I can fix the code I have to not be terrible...
I'm using Python Passlib to generate the below output (https://pypi.python.org/pypi/passlib). The author of Passlib recommends to use bcrypt, sha512_crypt or pbkdf2_sha512 in applications these days. On Ubuntu: sudo apt-get python-passlib python3-passlib
from passlib.hash import bcrypt bcrypt.encrypt('password123') '$2a$12$G1gi54hD.9y4ws4Bcg94n.kGKM/R8CEtqVNGczNAzzwc6gN9NhAjC' bcrypt.encrypt('password123', salt='G1gi54hD.9y4ws4Bcg94n.', rounds=12) '$2a$12$G1gi54hD.9y4ws4Bcg94n.kGKM/R8CEtqVNGczNAzzwc6gN9NhAjC'
from passlib.hash import pbkdf2_sha512 pbkdf2_sha512.encrypt('password123') '$pbkdf2-sha512$25000$X.tdS.l9j9Ham/Meg7C2lg$YPo7a7kJQyqDHzDnkfS/0mWZibLOIOcTPCZtuK454VQtDRw0Q3mBkUWqRy1av5N/bpU.ohuN2ucMyl3ZJuAsSw'
Next version of Passlib (1.7) will have scrypt as well. What's the digest for PBKDF2 used in the code you received? Kind regards, Laurens
On May 25, 2016, at 12:39 PM, Laurens Vets <laurens@daemon.be> wrote:
Is it possible to add additional password encryption options to FreeRADIUS so that the user database can be used as a user/password store (For instance PBKDF2 or scrypt)?
Update the code in rlm_pap. Why? Because it's critical to get authentication correct. And the best way to do that is to implement it ourselves.
When I look at "man rlm_pap", the amount of encryption options for passwords are limited when FreeRADIUS is your only user database. I'm creating a POC where users can register for an account to use certain services (accessible via radius authentication) and I'm trying to only use the FreeRADIUS mysql database as a backend to keep it simple, but the password encryption methods aren't considered secure by today's standards.
As Arran noted, yes... modern and secure options are available. We allow old methods because people have old systems.
Short of maintaining 2 databases with user information, how are people on the list handling these cases or is my use case a bit out of the ordinary?
Your situation is a bit out of the ordinary. 99% of sites have users in their AD (and NT hashed passwords), or in an SQL or LDAP database, which use industry standard password hashes. Newer password hash methods are just not that widely used. But if you contribute patches to update rlm_pap, I would be happy to integrate them. Alan DeKok.
We are 2 databases kind of, ldap for authentication, postgres for accounting. Ldap is Redhat IDM/FreeIPA. Credentials are encrypted and replicated over multiple instances. FR makes ldap bind with given credentials, and it is succesfull or not. In previous use-cases i used pure sql backend, but it always ended up as clear-text passwords for users, or implementation troubles. r. On 05/25/2016 06:39 PM, Laurens Vets wrote:
Hello list,
Is it possible to add additional password encryption options to FreeRADIUS so that the user database can be used as a user/password store (For instance PBKDF2 or scrypt)?
When I look at "man rlm_pap", the amount of encryption options for passwords are limited when FreeRADIUS is your only user database. I'm creating a POC where users can register for an account to use certain services (accessible via radius authentication) and I'm trying to only use the FreeRADIUS mysql database as a backend to keep it simple, but the password encryption methods aren't considered secure by today's standards.
Short of maintaining 2 databases with user information, how are people on the list handling these cases or is my use case a bit out of the ordinary? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Laurens Vets -
Rasto Rickardt