Hi All. I have a few freeRADIUS newbie questions for you. I have always read and been told that PAP is insecure because it transmits passwords in clear text. However, If I sniff the communication between my NAS and server when PAP is used, the password is indeed obfuscated. It appears to be hashed. So my questions are: 1) First and foremost, am I interpreting this correctly? 2) If so, is it the shared secret defined in the clients.conf file that is used as a key for the hash? 3) If not, any clue as to what I am seeing, and in that case, what is the shared secret used for? As you can see, I am looking for some basic info about the flow of the connection. I have taken an honest shot at RTFM, but have not come across these details yet. Can someone please explain or point me to an explanation? Thanks in advance. Chuck
Chuck Slate <chuck@cslate.net> wrote:
I have always read and been told that PAP is insecure because it transmits passwords in clear text. However, If I sniff the communication between my NAS and server when PAP is used, the password is indeed obfuscated. It appears to be hashed.
Yes. The passwords are NOT transmitted in the clear. Many, many, people are confused about that.
2) If so, is it the shared secret defined in the clients.conf file that is used as a key for the hash?
Yes. See the RFC's for how.
As you can see, I am looking for some basic info about the flow of the connection. I have taken an honest shot at RTFM, but have not come across these details yet. Can someone please explain or point me to an explanation?
The O'Reilly RADIUS book has a good introduction to this. Alan DeKok.
You must have missed the information in RFC 2865 (RADIUS), which is also a Fine Manual. The PAP password is XOR'd with the MD5 hash of the shared secret and the authenticator. You've been reading about the protocol prior to the RADIUS client's involvment. The same thing applies to CHAP, just to head you off. Chuck Slate wrote:
Hi All.
I have a few freeRADIUS newbie questions for you.
I have always read and been told that PAP is insecure because it transmits passwords in clear text. However, If I sniff the communication between my NAS and server when PAP is used, the password is indeed obfuscated. It appears to be hashed.
So my questions are: 1) First and foremost, am I interpreting this correctly? 2) If so, is it the shared secret defined in the clients.conf file that is used as a key for the hash? 3) If not, any clue as to what I am seeing, and in that case, what is the shared secret used for?
As you can see, I am looking for some basic info about the flow of the connection. I have taken an honest shot at RTFM, but have not come across these details yet. Can someone please explain or point me to an explanation?
Thanks in advance.
Chuck
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Chuck Slate -
Michael Lecuyer