[PEAP] Authenticate aigainst OpenLDAP Directory with NT Hashes
Alan DeKok
aland at ox.org
Sun Sep 4 21:25:33 CEST 2005
Sebastian Mauer <sebastian at n-unity.de> wrote:
> I just researched a little bit in the freeradius-users list and found
> out that there have to be clear passwords in the LDAP Direcotry to get
> FreeRADIUS to work with LDAP. However I think it's not very secure to
> store the passwords in clear in the Directory, even if there are ACLs in
> Place.
Too bad. That's how the security protocols were designed. And
there are good reasons why they were designed that way.
> Is it really not possible to do PEAP (w. MSCHAPv2) when I have NT-Hashes
> in the Directory?
It *is* possible. But only because the NT hashes are "plain-text
equivalent".
This means having the NT hash is just as good (for an attacker) as
having the clear-text password.
So using NT hashes in LDAP may make you *feel* more secure, because
they're not "clear-text". But it won't *honestly* be more secure.
Why? 5G of disk space and 30 seconds of computer time can turn 90%
or more of NT hashes back into clear-text passwords, among other
reasons.
Alan DeKok.
More information about the Freeradius-Users
mailing list