FreeRadius + MySQL & Encrypted passwords
Tony Redstone
tony.redstone at googlemail.com
Thu May 18 16:06:08 CEST 2006
We had this problem so we did a dodgy but nonetheless functional small
hack to make it work. YMMV but you may find it useful until the next
proper release which hopefully will contain the new code which Alan
refers to.
Tony
in radiusd.conf:
pap {
encryption_scheme = sha1
}
in mysql continue to use "Password" in radcheck but set also set
Auth-Type:=PAP for the SHA1 encrypted passwords.
eg, say user abc1 has a SHA1 encrypted password and def2 has a
plaintext password:
radcheck:
username attribute op value
abc1 Password == 760e7dab2836853c63805033e514668301fa9c47
def2 Password == secretxyz
radgroupcheck:
groupname attribute op value
papsha1 Auth-Type := PAP
usergroup:
username groupname
abc1 papsha1
then apply this to main/valuepair.c (ie if Auth-Type==PAP, skip
plaintext "Password" check):
--- ../freeradius-1.0.4/src/main/valuepair.c 2005-02-07
20:04:47.000000000 +0000
+++ src/main/valuepair.c 2005-07-22 14:56:31.000000000 +0100
@@ -259,7 +259,20 @@
case PW_PASSWORD:
if (pairfind(request, PW_PASSWORD) == NULL) {
continue;
+ } else {
+ int auth_type;
+ VALUE_PAIR *auth_type_pair;
+
+ if
(auth_type_pair=pairfind(check, PW_AUTH_TYPE)) {
+
if(!strcmp(auth_type_pair->strvalue, "PAP")) {
+ continue;
+ }
+ }
}
+
break;
}
Thanks Bogdan,
I've tried with mysql and the crypt passwords and it works fine.
Now I still wondering if there is any way with PAP to enable crypted
passwords with
MD5 or SHA1.
I don't know if I understood ok, tell me if I'm wrong.
I think that at the moment it's impossible to enable MD5 or SHA1 for
encrypted passwords,
but that they are working on it, so perhaps in future versions this will be
possible.
Thanks,
Miguel Angel
More information about the Freeradius-Users
mailing list