1.1.6: PAP and MySQL-stored NT-Password don't work
Stefan Winter
stefan.winter at restena.lu
Thu Apr 26 08:51:56 CEST 2007
Hi,
I try to get rid of cleartext passwords stored in a MySQL db, and replace them
by NT hashes. I set up a test environment and first tried with an entry in
users:
swinter NT-Password := "...", Auth-Type := Accept
which worked okay.
Storing the same password in MySQL did NOT work, with a quite spurious error,
see below:
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 127.0.0.1:52635, id=148, length=59
User-Name = "swinter"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1234
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "swinter", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1
modcall[authorize]: module "files" returns notfound for request 1
radius_xlat: 'swinter'
rlm_sql (sql): sql_set_user escaped user --> 'swinter'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'swinter' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'swinter' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = 'swinter' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'swinter' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns ok for request 1
rlm_pap: Normalizing NT-Password from hex encoding
modcall[authorize]: module "pap" returns updated for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type pap
auth: type "PAP"
Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 1
rlm_pap: login attempt with password test
rlm_pap: Using NT encryption.
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Hash test'
rlm_mschap: Unknown expansion string "NT-Hash test"
radius_xlat: ''
rlm_pap: mschap xlat failed
rlm_pap: Passwords don't match
modcall[authenticate]: module "pap" returns reject for request 1
modcall: leaving group PAP (returns reject) for request 1
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Especially the lines
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Hash test'
rlm_mschap: Unknown expansion string "NT-Hash test"
radius_xlat: ''
rlm_pap: mschap xlat failed
appear suspicious ("test" is the password"). Maybe there's some xlat escaping
wrong?
The configuration in use is almost as shipped, only added sql config.
Greetings,
Stefan Winter
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070426/05af3241/attachment.pgp>
More information about the Freeradius-Users
mailing list