pam_radius_auth issue

Phil Mayers p.mayers at imperial.ac.uk
Thu Jul 20 16:40:53 CEST 2006 

Mircea Harapu wrote:
>>> I'm trying to make a ssh authentication with pam_radius_auth +
> freeradius +
>>> ldap
>>> The problem is that radius is sending the password to ldap in clear and
> not
>>> crypted with CRYPT as configured in ldap module .
>>   Huh?  pam_radius_auth sends the password to FreeRADIUS in the clear,
>> because that's what it does.  FreeRADIUS sends this to LDAP because
>> LDAP doesn't understand anything else.
> 
> sending passwords in clear in a network is not secure . pam_radius_auth does
> have
> md5 crypting capabilities . that's why you need to set radius key .

PAP sends the following radius request:

User-Name = "Someuser"
User-Password = "somepassword"

HOWEVER, the User-Password field in a radius packet is defined by RFC to 
be encrypted with the radius shared secret.

At the radius server, the password field is decrypted and processed in 
plaintext inside the radius server.

This is at least as secure as sending a plaintext password over the wire.

> 
>>   And there is NO configuration in the LDAP module to send the
>> password in crypted form.  I think you're mistaking the configuration
>> that *reads* the password from LDAP for something else.
> 
> auto_header = yes
> that means that it checks for encryption types .

I think Alan, as the main FreeRadius developer, is probably aware of 
that feature. He is aware that it does NOT do what you claim.

"auto_header" is responsible for detecting the {type} header when the 
userPassword attribute is *read from* the LDAP server. The {type} field 
is stripped, and used to put the following value into the correct radius 
config attribute e.g.

  * {clear} -> User-Password
  * {crypt} -> Crypt-Password
  * {ssha} -> SSHA-Password

...and so on.

*Then* the radius server processes a PAP request like so:


  1. request comes in
     User-Name = foo
     User-Password = encrypted_with_radius_secret(bar)
  2. authorize section is run
  2a. ldap module is run - userPassword: {crypt}baAP5K9PT1lcc
  2b. auto_header puts "Crypt-Password = baAP5K9PT1lcc" into config items
  3. authenticate is run - Auth-Type = Local
  3b. The radius server sees that Crypt-Password is set and does:
      if (crypt(User-Password, 'ba')=='baAP5K9PT1lcc')
        auth_ok;

I hope that is clear.

Your original mail stated:

> I'm trying to make a ssh authentication with pam_radius_auth + freeradius +
> ldap
> The problem is that radius is sending the password to ldap in clear and not
> crypted with CRYPT as configured in ldap module .

As Alan tried to explain to you, pam_auth_radius is doing nothing wrong. 
What is undoubtedly happening is that you have the radius server 
configured incorrectly.

I suspect you want it to do this:

  1. request comes in
  2. fetch password from ldap
  3. compare crypted password from LDAP with password supplied

I suspect what it's actually doing is:

  1. request comes in
  2. ldap searched for user - found
  3. password is checked by doing LDAP simple bind

If you want the first, configure the radius server to do that. Hint: see 
the "set_auth_type = no" option on recent versions of the server, or 
have the users file read:

DEFAULT Auth-Type := Local

Or, be more clear about what the problem is. "It doesn't work how I 
think it should" does not help, especially when you are wrong in your 
assumptions.

More information about the Freeradius-Users mailing list