Please HELP!!! Any ideas??? MySQL and users file... Difference???
Alan, I've solved my problems already... I've even finished the custom modification to dialup-admin which takes care of changing the Crypt-Passwords to User-Passwords for users accessing the new services. Thanks for clearing things up...
btest | NT-Password | == | NT-hashbla-bla-bla^&&@0-3443 btest | Crypt-Password | == | $$KyUhHIHD$R7mAm4rPX1q4WTEJY5rKQ1
Which is exactly what I keep saying is not needed, and is causing problems for you.
OK, I understood your point, but would you be so kind to explain WHY do you think it is such a bad idea (besides the fact that it doesn't work with the current version of rlm_sql)... The solution seems to be perfectly logical: - none of the network technitians on-site can abuse user's passwords since they are encrypted and supposedly beyound their cracking abilities, and both PAP and MS-CHAP should work... OK, again, it doesn't work NOW, but why shouldn't it? What's so evil about this configuration? Btw, in freeradius FAQ you, guys, claim, that PAP is better than CHAP because it allows storing passwords in encrypted form. I kinda agree with that... Why do you now claim that storing in clear text is better? Ok, it is less headache for me, but what about privacy rights of my users? Thanks Alex
"Alex Savguira" <savguira@gmail.com> wrote:
OK, I understood your point, but would you be so kind to explain WHY do you think it is such a bad idea
As I said before: it gains you nothing but additional complexity. It's completely unnecessary.
none of the network technitians on-site can abuse user's passwords since they are encrypted and supposedly beyound their cracking abilities, and both PAP and MS-CHAP should work... OK, again, it doesn't work NOW, but why shouldn't it? What's so evil about this configuration?
Nothing is evil. It just makes your life more difficult, and gains you *nothing*.
Btw, in freeradius FAQ you, guys, claim, that PAP is better than CHAP because it allows storing passwords in encrypted form. I kinda agree with that... Why do you now claim that storing in clear text is better?
If your requirement is to do MS-CHAP, you need either the clear-text passwords, or the NT hash.
Ok, it is less headache for me, but what about privacy rights of my users?
That's up to you and your local legal situation. FreeRADIUS has to work in countries other than where you live, where laws are different. Alan DeKok.
Alex Savguira wrote:
Alan,
I've solved my problems already... I've even finished the custom modification to dialup-admin which takes care of changing the Crypt-Passwords to User-Passwords for users accessing the new services. Thanks for clearing things up...
btest | NT-Password | == | NT-hashbla-bla-bla^&&@0-3443 btest | Crypt-Password | == | $$KyUhHIHD$R7mAm4rPX1q4WTEJY5rKQ1
Which is exactly what I keep saying is not needed, and is causing problems for you.
OK, I understood your point, but would you be so kind to explain WHY do you think it is such a bad idea (besides the fact that it doesn't
If you have the clear or NT hash, you don't need the Crypted one. PAP can use either. CHAP *requires* clear or NT hash. Read that again. Requires. It is not a preference of Alan or anyone else. With CHAP, RADIUS (of any kind, not just FreeRADIUS) receives a crypted pass over the wire. You cannot compare two crypted passwords unless they happen to be crypted in exactly the same way (unlikely). Since you can't decrypt them, one of the passwords has to be clear to be able to be crypted in the proper way and then compared to the other. With PAP, the password is clear over the wire, so it can compare to either a clear or a crypted password. NT Hash is just as secure as clear. The clear password can be derived from the hash with little effort and is not considered a security enhancement. So, to remove confusion and possible setup issues (syncing issues during password changes, etc), if a user has a hashed or clear password, remove the crypted one. It does not add anything and can only cause problems. You can always create a crypted password if you want to force PAP at a later date. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com
participants (3)
-
Alan DeKok -
Alex Savguira -
Dennis Skinner