FreeRadius + MySQL & Encrypted passwords

Bogdan Dumitriu - Technical Support Team helpdesk22 at mycybernet.net
Mon May 8 15:43:18 CEST 2006


Hi Miguel,
 
Bellow you will find the config I'm using. It works with Unix Crypt but
not with md5 or SHA1. It looks like for md5 or sha1 the crypt-password
attribute has to be changed to MD5-password or SHA1-password. However my
freeRadius doesn't recognize any of these 2 attributes (rlm_sql: unknown
attribute SSHA-Password). For the time beeing I'll stick with Unix
Crypt.
 
Please let me know if you find a better config.
 
Bogdan.
 
 
 
-----Original Message-----
From: Bogdan Dumitriu - Technical Support Team
[mailto:helpdesk22 at mycybernet.net] 
Sent: May 4, 2006 3:40 PM
To: 'freeradius-users at lists.freeradius.org'
Subject: FreeRadius + MySQL & Encrypted passwords


Hi all,
 
I've been trying to encrypt the passwords in mySQL using SHA1 or MD5
without any luck for the last several days.
 
First let me tell you a bit about our system:
 
RedHat ES 4
freeradius-1.0.1-2.RHEL4
freeradius-mysql-1.0.1-2.RHEL4
mysql-server-4.1.7-4.RHEL4.1
mysql-4.1.7-4.RHEL4.1
 
Everything works fine with clear text passwords and if I use Unix Crypt.
 
This is the config that works with Unix Crypt:
 
radcheck
+-----+------------+---------------+----+-------------------------------
---------------------------+
| id  | UserName   | Attribute     | op | Value
|
+-----+------------+---------------+----+-------------------------------
---------------------------+
| 844 | bogdan | Crypt-Password | == | 55MCU5TXMoKsA |
+-----+------------+---------------+----+-------------------------------
---------------------------+
usergroup
+-----+------------+-------------+
| id  | UserName   | GroupName   |
+-----+------------+-------------+
| 844 | bogdan | adsl-static |
+-----+------------+-------------+
radgroupcheck
+----+-------------+-----------+----+-------+
| id | GroupName   | Attribute | op | Value |
+----+-------------+-----------+----+-------+
|  1 | adsl        | Auth-Type | := | PAP   |
|  2 | adsl-static | Auth-Type | := | PAP   |
 
 
radius.conf
-------------
...........................
 
modules {
..................
        pap {
                encryption_scheme = crypt
        }
....................
}
 
authenticate {
..............
        Auth-Type PAP {
               pap
        }
...............
}
 
 
This works perfect !
 
now I want to use MD5 or SHA1 so I change:
 
        pap {
                encryption_scheme = sha1 (or md5)
        }
 
and this is what I get in /usr/sbin/radiusd -X
 
 
  modcall[authorize]: module "sql" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type PAP
auth: type "PAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_pap: login attempt by "shipcoadsl" with password test
rlm_pap: Crypt-Password attribute but encryption scheme is not set to
CRYPT
  modcall[authenticate]: module "pap" returns fail for request 0
modcall: group Auth-Type returns fail for request 0
 
if I change:
 
+-----+------------+---------------+----+-------------------------------
---------------------------+
| id  | UserName   | Attribute     | op | Value
|
+-----+------------+---------------+----+-------------------------------
---------------------------+
| 844 | bogdan | Crypt-Password | == | {md5} password |
+-----+------------+---------------+----+-------------------------------
---------------------------+
 
to:
 
+-----+------------+---------------+----+-------------------------------
---------------------------+
| id  | UserName   | Attribute     | op | Value
|
+-----+------------+---------------+----+-------------------------------
---------------------------+
| 844 | bogdan | User-Password | == | {md5} password |
+-----+------------+---------------+----+-------------------------------
---------------------------+
 
and this is what I get:
 
rlm_sql (sql): No matching entry in the database for request from user
[shipcoadsl]
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns notfound for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [shipcoadsl/test] (from client TestNAS2 port 0)
 
 
I also tried changing:
 
radgroupcheck
+----+-------------+-----------+----+-------+
| id | GroupName   | Attribute | op | Value |
+----+-------------+-----------+----+-------+
|  1 | adsl        | Auth-Type | := | PAP   |

to:
 
radgroupcheck
+----+-------------+-----------+----+-------+
| id | GroupName   | Attribute | op | Value |
+----+-------------+-----------+----+-------+
|  1 | adsl        | Auth-Type | := | MD5   |
 
 
then add:
 
authenticate {
..............
        Auth-Type MD5 {
               pap
        }
...............
}

an I got exactly the same answer as before!
 
 
Tried adding to the radgroupreply:
 
| 26 | adsl-static | Auth-Type         | := | PAP           |    0 |

but still no luck!
 
Is this a bug? What am I missing?
 
Your help will be greatly appreciated!
 
Thanks,
Bogdan.
 
 
 
 -----Original Message-----
From:
freeradius-users-bounces+helpdesk22=mycybernet.net at lists.freeradius.org
[mailto:freeradius-users-bounces+helpdesk22=mycybernet.net at lists.freerad
ius.org] On Behalf Of Miguel Angel Quiles
Sent: May 8, 2006 5:34 AM
To: FreeRadius users mailing list
Subject: Re: FreeRadius + MySQL & Encrypted passwords



Hi,
 
    I would like to find out how to configure freeradius so I don't have
to save clear text passwords in the users file.
I've been following the mail list but I've seen so many ways of
configuring crypted passwords, md5, .... that right now I've got a mess
in my head.
If someone can help me, to address me to a tutorial, or a link to a
website where I can find some clear info over this, I would appreciate.
 
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060508/5b12bb51/attachment.html>


More information about the Freeradius-Users mailing list