FreeRadius-1.1.0 - rlm_digest with MD5 passwords in a MySQL db
Hey All, I've been spending my day trying to get rlm_digest to work with encrypted passwords in a MySQL database. When I use the User-Password attribute with a plain text password then digest authentication works fine, however when I change the attribute to MD5-Password I get the following on the console when running radiusd -X; rlm_digest: Configuration item "User-Password" or MD5-Password is required for authentication. Looking through the rlm_digest.c file I found that PW_MD5_PASSWORD needs to be defined before the module will look for the MD5-Password attribute and following how PW_PASSWORD is defined I added -DPW_MD5_PASSWORD=1095 to the compile options and still got the same message. I defined the same value in radiusd.h and again got the same message. So, how do I get encrypted password storage to work? Does anyone have any pointers on where to go from here? Thanks, Evan
Hi Evan, I don't have much experience with the FR 'sql' module. I know it is possible to achieve what you want using LDAP as a backend database. In this case, the password is mapped to an LDAP attribute (ex. userPassword), which value is pulled out during the 'authorize' process. I don't know whether a similar operation can be expected with 'sql', maybe someone else has an answer. On 1/23/06, Evan Borgström <evan.borgstrom@ca.mci.com> wrote:
Hey All,
I've been spending my day trying to get rlm_digest to work with encrypted passwords in a MySQL database. When I use the User-Password attribute with a plain text password then digest authentication works fine, however when I change the attribute to MD5-Password I get the following on the console when running radiusd -X;
rlm_digest: Configuration item "User-Password" or MD5-Password is required for authentication.
Just for testing purpose, have you tried using the 'users' file?
So, how do I get encrypted password storage to work? Does anyone have any pointers on where to go from here?
The following URL might help : http://wiki.freeradius.org/index.php/Digest Regards, Philippe
Hi, Again, newbie question that I failed to find the anwser from FAQ or wiki. I would like to restrict user login by NAS-IP-address or fqdn if possible. Therefore I can restrict user to login a group of devices. user1 Auth-Type := Local, User-Password == "sceret", NAS-IP-address =="10.1.2.0/24" ... It works if NAS-IP-address == "10.1.2.3", but that will require ~250 entries in users file. Can it be group into /24 or is NAS-Network-address exist? How about using DNS name, something like user1 Auth-Type := Local, User-Password == "sceret", NAS-fqdn =~ /*.(core|edge).domain/ ... Thanks a lot, Min
"Min Qiu" <mqiu@globalinternetworking.com> writes:
I would like to restrict user login by NAS-IP-address or fqdn if possible. Therefore I can restrict user to login a group of devices.
user1 Auth-Type := Local, User-Password == "sceret", NAS-IP-address =="10.1.2.0/24"
Using a regexp is just as easy when you just need to restrict it on the byte boundaries: user1 Auth-Type := Local, User-Password == "sceret", NAS-IP-address =~ "^10\.1\.2\." Hmm, the manual says that the regex operators may only be applied to string attributes. But I believe it works on IP addresses too, doesn't it? You might want to check out "huntgroups" in any case. See doc/README and the sample raddb/huntgroups file. Bjørn
=?ISO-8859-1?Q?Evan_Borgstr=F6m?= <evan.borgstrom@ca.mci.com> wrote:
I've been spending my day trying to get rlm_digest to work with encrypted passwords in a MySQL database.
It won't work. Digest requires access to the clear-text passwords, OR the Digest-HA1 form of the password.
When I use the User-Password attribute with a plain text password then digest authentication works fine, however when I change the attribute to MD5-Password I get the following on the console when running radiusd -X;
If you're trying to use the straight MD5 hashed version of the password, it won't work. Ever. The protocol was designed to make it impossible. The PW_MD5_PASSWORD stuff in 1.1.0 is commented out for a number of reasons, at least one of which is the hashed password should be called Digest-HA1, and not MD5-Password. Alan DeKok.
participants (5)
-
Alan DeKok -
Bjørn Mork -
Evan Borgström -
Min Qiu -
Philippe Sultan