PAP and clear text

Stefan.Neis at Stefan.Neis at
Sat Sep 17 02:10:23 CEST 2005


> You must have missed the information in RFC 2865 (RADIUS), which is also 
> a Fine Manual.  The PAP password is XOR'd with the MD5 hash of the 
> shared secret and the authenticator.

Yes, that's a bit clearer than saying "the password is hashed", since it
also shows that the process is reversible and you can easily obtain the
cleartext password from the "obfuscated" password.

> You've been reading about the protocol prior to the RADIUS client's 
> involvment. The same thing applies to CHAP, just to head you off.

No, not quite. Here, the password is (essentially) used as a key to compute
the hash value of a challenge. Most notably, this means you (or the server) have
no way whatsoever to get back to the clear text password from what is transmitted
to the server.


More information about the Freeradius-Users mailing list