2.x.x (and earier?): yet another decoding SSHA issue

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Jul 16 21:47:58 CEST 2013

On 16 Jul 2013, at 16:53, Matthew Newton <mcn4 at LEICESTER.AC.UK> wrote:

> On Tue, Jul 16, 2013 at 04:12:53PM +0100, Arran Cudbard-Bell wrote:
>>> Is it possible to add a qualifier indicating the format of the item,
>>> e.g. base64, hex, etc.?
>> You could use as part of the atribute name to indicate a cast.
>> <string>SSHA-Password := <hash>
>> But it's still awful.
>> Anyway Stefan's point about SSHA is correct. Maybe an option to
>> turn off the normalisation done by rlm_pap would be useful.
> Having rehashed the rlm_pap code for v3, I'd question anyone's
> sanity wanting to touch the v2 code... I'm still in recovery :-)

Hehe. You should of seen the LDAP module, Alan gets major props for tackling that one :)

> I've done a pull request for v3 that adds this option. It
> compiles, but I've not tested it yet.

Eh there's not much to go wrong.

> The most sane thing for rlm_pap in v2 would be to pull in the
> module from master, but it probably wouldn't be hard to add a
> normalize option to that as well.

TBH it's extremely unlikely that if people use pre-decoded password hashes that there'll be an issue. Especially if they keep their salts to a sane length.

It's just useful to be able to turn off normalisation where it's not required to completely eliminate the chance of any issues occurring.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

More information about the Freeradius-Devel mailing list