pam_radius_auth issue

Fri Jul 21 08:10:00 CEST 2006

> Mircea Harapu wrote:
> >>> I'm trying to make a ssh authentication with pam_radius_auth +
> > freeradius +
> >>> ldap
> >>> The problem is that radius is sending the password to ldap in clear
and
> > not
> >>> crypted with CRYPT as configured in ldap module .
> >>   Huh?  pam_radius_auth sends the password to FreeRADIUS in the clear,
> >> because that's what it does.  FreeRADIUS sends this to LDAP because
> >> LDAP doesn't understand anything else.
> >
> > sending passwords in clear in a network is not secure . pam_radius_auth
does
> > have
> > md5 crypting capabilities . that's why you need to set radius key .
>
> PAP sends the following radius request:
>
> User-Name = "Someuser"
> User-Password = "somepassword"
>
> HOWEVER, the User-Password field in a radius packet is defined by RFC to
> be encrypted with the radius shared secret.

The pam_radius_auth is sending User-Password without beeing encrypted .
I have set the same shared secret in /etc/raddb/server and clients.conf

>
> At the radius server, the password field is decrypted and processed in
> plaintext inside the radius server.
>
> This is at least as secure as sending a plaintext password over the wire.
>
> >
> >>   And there is NO configuration in the LDAP module to send the
> >> password in crypted form.  I think you're mistaking the configuration
> >> that *reads* the password from LDAP for something else.
> >
> > auto_header = yes
> > that means that it checks for encryption types .
>
> I think Alan, as the main FreeRadius developer, is probably aware of
> that feature. He is aware that it does NOT do what you claim.
>
> "auto_header" is responsible for detecting the {type} header when the
> userPassword attribute is *read from* the LDAP server. The {type} field
> is stripped, and used to put the following value into the correct radius
> config attribute e.g.
>
>   * {clear} -> User-Password
>   * {crypt} -> Crypt-Password
>   * {ssha} -> SSHA-Password
>
> ...and so on.
>
> *Then* the radius server processes a PAP request like so:
>
>
>   1. request comes in
>      User-Name = foo
>      User-Password = encrypted_with_radius_secret(bar)
>   2. authorize section is run
>   2a. ldap module is run - userPassword: {crypt}baAP5K9PT1lcc
>   2b. auto_header puts "Crypt-Password = baAP5K9PT1lcc" into config items
>   3. authenticate is run - Auth-Type = Local
>   3b. The radius server sees that Crypt-Password is set and does:
>       if (crypt(User-Password, 'ba')=='baAP5K9PT1lcc')
>         auth_ok;
>
> I hope that is clear.
>
> Your original mail stated:
>
> > I'm trying to make a ssh authentication with pam_radius_auth +
freeradius +
> > ldap
> > The problem is that radius is sending the password to ldap in clear and
not
> > crypted with CRYPT as configured in ldap module .
>
> As Alan tried to explain to you, pam_auth_radius is doing nothing wrong.
> What is undoubtedly happening is that you have the radius server
> configured incorrectly.
>
> I suspect you want it to do this:
>
>   1. request comes in
>   2. fetch password from ldap
>   3. compare crypted password from LDAP with password supplied
>
> I suspect what it's actually doing is:
>
>   1. request comes in
>   2. ldap searched for user - found
>   3. password is checked by doing LDAP simple bind
>
> If you want the first, configure the radius server to do that. Hint: see
> the "set_auth_type = no" option on recent versions of the server, or
> have the users file read:
>
> DEFAULT Auth-Type := Local
>
> Or, be more clear about what the problem is. "It doesn't work how I
> think it should" does not help, especially when you are wrong in your
> assumptions.
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html