Storing hashes in MySQL when using MS_CHAP
Hello, I'm trying to conceal plain-text passwords from my radius.radcheck database in order to it'll be useless if it's stolen. My config is FreeBSD 7.0 + FreeRadius1.1.7 + mpd4 + MySQL-5.0.67 (windowsXP and Vista Clients) Well, I found a solution here http://www.usenet-forums.com/freeradius-users/280602-re-freeradius-mysql-cry... written by Alan DeKok. But I haven't got it working. radcheck was : +----+----------+----------------------+----+---------------------------------------+ | id | UserName | Attribute | op | Value | +----+----------+----------------------+----+---------------------------------------+ | 1 | user1 | Password-With-Header | := | {md5}c4ca4238a0b923820dcc509a6f75849b | and raduis -X said : rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 0 rlm_chap: login attempt by "user1" with CHAP password rlm_chap: Could not find clear text password for user user1 modcall[authenticate]: module "chap" returns invalid for request 0 modcall: leaving group CHAP (returns invalid) for request 0 auth: Failed to validate the user. radiusd's searching a plain-text password. Then I googled a little bit more and found a combination with Attribute='Auth-Type' and Value='Crypt-Local', generated a hash using $ openssl passwd -1 1 $1$HR1R2p.2$7tsK8wE30pDf6AQ6KEi6d/ Unfortunately, it doesn't work too.. It that possible to get hashed passwords together with MS_CHAP? -- Yuriy Grishin.
It that possible to get hashed passwords together with MS_CHAP?
http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
It that possible to get hashed passwords together with MS_CHAP?
http://deployingradius.com/documents/protocols/compatibility.html
Thanks.
Yuriy Grishin wrote:
Hello,
I'm trying to conceal plain-text passwords from my radius.radcheck database in order to it'll be useless if it's stolen.
That's admirable, but generally useless. And often counter-productive.
| 1 | user1 | Password-With-Header | := | {md5}c4ca4238a0b923820dcc509a6f75849b |
MD5 hashed passwords...
and raduis -X said : ... modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type CHAP
... are incompatible with CHAP. http://deployingradius.com/documents/protocols/compatibility.html What you want to do is impossible. You MUST have the clear-text passwords in the DB in order to do CHAP.
It that possible to get hashed passwords together with MS_CHAP?
You are doing CHAP, not MS-CHAP. They are very different. Alan DeKok.
Alan DeKok wrote:
Yuriy Grishin wrote:
Hello,
I'm trying to conceal plain-text passwords from my radius.radcheck database in order to it'll be useless if it's stolen.
That's admirable, but generally useless. And often counter-productive.
You bet, I've spent all the day and the result is 0.
| 1 | user1 | Password-With-Header | := | {md5}c4ca4238a0b923820dcc509a6f75849b |
MD5 hashed passwords...
Yes. I did it that way : mysql> ....Value=concat('{md5}', md5('1')) where ...;
and raduis -X said :
...
modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type CHAP
... are incompatible with CHAP.
http://deployingradius.com/documents/protocols/compatibility.html
What you want to do is impossible. You MUST have the clear-text passwords in the DB in order to do CHAP.
I suspected that it's impossible so I asked a good (correct) question.
It that possible to get hashed passwords together with MS_CHAP?
You are doing CHAP, not MS-CHAP. They are very different.
Yeah, you're right I'm doing CHAP. Thanks a lot for the explanation!
participants (3)
-
Alan DeKok -
tnt@kalik.net -
Yuriy Grishin