2.x.x (and earier?): yet another decoding SSHA issue

Stefan Winter stefan.winter at restena.lu
Wed Jul 17 08:07:43 CEST 2013


>>> Is it possible to add a qualifier indicating the format of the item,
>>> e.g. base64, hex, etc.?
>> You could use as part of the atribute name to indicate a cast.
>> <string>SSHA-Password := <hash>
>> But it's still awful.
>> Anyway Stefan's point about SSHA is correct. Maybe an option to
>> turn off the normalisation done by rlm_pap would be useful.
> Having rehashed the rlm_pap code for v3, I'd question anyone's
> sanity wanting to touch the v2 code... I'm still in recovery :-)
> I've done a pull request for v3 that adds this option. It
> compiles, but I've not tested it yet.

Maybe I'm looking at this from a wrong angle, but... the breakage occurs
long before rlm_pap gets its hand on it. If you check the original error
message that I posted, this is a

[sql-imap-hash] SQL query error; rejecting user

So it never gets past the SQL instance.

So... does this mean my SQL table in the DB should swap SSHA1-Password
with <string>SSHA1-Password?

Or do I still have to change my encoding of the hashes from base64 to
hex in the DB attribute's value, and *additionally* use the string cast
later on in rlm_pap to prevent any further touching of the hash value?

In any case, let me know when there's something to test in 2.x.x.


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20130717/78666987/attachment.pgp>

More information about the Freeradius-Devel mailing list