Mysql problem

Guy Fraser guy at incentre.net
Fri Mar 17 17:48:55 CET 2006 

On Thu, 2006-16-03 at 10:45 +0100, KNO wrote:
> On 3/16/06, Alan DeKok <aland at ox.org> wrote:
> > "Fabiano Rodrigo Boscatto" <fabiano.boscatto at pucpr.br> wrote:
> > > Hi there, i have freeradius working fine with mysql authentication. The
> > > problem is that the User-Password is stored in mysql table as clear text. Is
> > > there a way to crypt that?
> >
> >   Change User-Password to Crypt-Password, and encrypt the password
> > with the Unix crypt() tool.
> >
> >   Then CHAP & MS-CHAP stop working.
> >
> >   If you want to encrypt the password with some kind of key, and then
> > make the key available to FreeRADIUS too, that might be useful.  Maybe.
> >
> >   But it's not as useful as it might first look.  You're better off
> > controlling access to the entire MySQL DB, which contains a lot more
> > security information than the clear-text password.
> >
> >   Alan DeKok.
> 
> And what I must to do if I want to use MD5 to store the passwords?
> Greets, Aitor
> 
If you are using a Unix/Linux system that can use MD5 passwords 
in the password file, then -libcrypt likely supports MD5 passwords.

I have tested using SHA1/DES/MD5 encrypted passwords from the 
system password file on FreeBSD and put them in SQL and it worked.

One thing I discovered  while testing was that you will need to 
set Auth-Type := Crypt-Local and Crypt-Password == '<encrypted-data>'.

I tend to put the Auth-Type settings in radgroupcheck and assign 
users with encrypted passwords to different groups than those with 
clear text.

Example:

1 chap-unlimited Auth-Type := Local
2 pap-unlimited Auth-Type := Crypt-Local

Then radcheck would be like :

1 fredf User-Password == wilma
2 troll Crypt-Password == $1$f3d5.Cf9$aeM0tnhrmahLR/yHMlEwU1

And usergroup would be like :

1 fredf chap-unlimited
2 troll pap-unlimited


I have just started working on a new PHP management system and 
am intending on supporting the system crypt() command for 
encoding passwords when updated. Dialup Admin has not been 
updated much, since the last time I used it, and it does not 
provide many of the functions I need. I am using code I have 
written from scratch, but in the day I have been working on it 
I have almost got a function that correctly parses radiusd.conf 
and any files included. Once I can accurately read the all the
config files that are not intended on being deprecated then I 
will make the functions to modify them. Once that is done 
I will concentrate on functions to maintain MySQL and 
PostgreSQL users and accounting tasks. It is a fairly large 
task, and it may get sidelined for or more simple system, but 
I want to start using FreeRadius, so I can decommission the 
Cistron server I customized to send accounting info directly 
to a PostgreSQL data base. Although the current system has 
been working flawlessly for over 5 years, FreeBSD has a lot 
more functionality, flexibility and is currently maintained
by more people than just me.

TTFN

More information about the Freeradius-Users mailing list