Please HELP!!! Any ideas??? MySQL and users file... Difference???

Dennis Skinner dskinner at bluefrog.com
Tue Feb 28 00:15:05 CET 2006


Alex Savguira wrote:
> Alan,
> 
> I've solved my problems already... I've even finished the custom
> modification to dialup-admin which takes care of changing the
> Crypt-Passwords to User-Passwords for users accessing the new
> services. Thanks for clearing things up...
> 
>>> btest        | NT-Password  | == | NT-hashbla-bla-bla^&&@0-3443
>>> btest        | Crypt-Password | == | $$KyUhHIHD$R7mAm4rPX1q4WTEJY5rKQ1
> 
>>  Which is exactly what I keep saying is not needed, and is causing
>> problems for you.
> 
> OK, I understood your point, but would you be so kind to explain WHY
> do you think it is such a bad idea (besides the fact that it doesn't

If you have the clear or NT hash, you don't need the Crypted one.  PAP
can use either.  CHAP *requires* clear or NT hash.  Read that again.
Requires.  It is not a preference of Alan or anyone else.

With CHAP, RADIUS (of any kind, not just FreeRADIUS) receives a crypted
pass over the wire.  You cannot compare two crypted passwords unless
they happen to be crypted in exactly the same way (unlikely).  Since you
can't decrypt them, one of the passwords has to be clear to be able to
be crypted in the proper way and then compared to the other.

With PAP, the password is clear over the wire, so it can compare to
either a clear or a crypted password.

NT Hash is just as secure as clear.  The clear password can be derived
from the hash with little effort and is not considered a security
enhancement.

So, to remove confusion and possible setup issues (syncing issues during
password changes, etc), if a user has a hashed or clear password, remove
the crypted one.  It does not add anything and can only cause problems.
 You can always create a crypted password if you want to force PAP at a
later date.

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com



More information about the Freeradius-Users mailing list