Using the various User-Password, Chap-Password, etc... with MySQL

liran tal liransgarage at gmail.com
Mon Jul 30 17:55:16 CEST 2007


Hey, some updates...

Ok I've done some tests and thanks to Kegal I was able to move forward with
these
different 'scenarios'.

For having an encrypted password in the database what can be done is to give
the user the attribute Crypt-Password and set the Value to be
ENCRYPT('somepass') where
ENCRYPT() is a MySQL function.

Still has to figure out about MD5, SHA1 and CHAP.


Thanks so far,
Liran.


On 7/30/07, liran tal <liransgarage at gmail.com> wrote:
>
> Thanks Alan,
>
> I've read the manpage on rlm_pap.
> Regarding the User-Password attribute I understand that it is still
> support but we moved
> to using Cleartext-Password which is essentially the same.
>
> Regarding the other attributes like Crypt-Password or MD5-Password, the
> manpage says that
> these contain the crypted/md5 hashed form of the password. Does that mean
> that if I use
> those as the password attribute then in the database I'm supposed to use
> the MD5() function
> to encrypt the password I save there?
>
> This also brings me to another question, if I can encrypt like that a
> password in the database
> even for the Cleartext-Password (or the deprecated User-Password)
> attribute as the manpage
> also mentions that rlm_pap, if put last in the authorize section will try
> to decrypt the password.
>
>
> Do I understand this correctly?
>
>
> Regards,
> Liran.
>
>
> On 7/29/07, Alan DeKok <aland at deployingradius.com > wrote:
> >
> > liran tal wrote:
> > > I was wondering if someone can clearly explain the use of different
> > > Password attributes when they're used in a scenario where MySQL is
> > involved.
> >
> >   The different password attributes have nothing to do with MySQL.
> >
> >   Put a clear-text password in MySQL, and let the server deal with
> > different authentication protocols.
> >
> > > The basic case of User-Password is clear.
> > > When the attribute in the radcheck table is User-Password then it's
> > value is
> > > the password in clear text and the op is ==
> >
> >   No.  See the recent documentation in 1.1.5 and following.  The
> > attribute is Cleartext-Password, and the operator is :=.
> >
> > > What about Cleartext-Password? I've added this attribute with op of :=
> > and
> > > value password in clear text and used radtest as a test, and it
> > results in
> > > just re-transmission of Access-Request queries, and basically not
> > working.
> >
> >   See the FAQ for "it doesn't work".  The FAQ, README, INSTALL, etc. all
> >
> > say to run the server in debugging mode.
> >
> > > What about Chap-Password, MD5-Password, SHA1-Password, what are their
> > > corresponding values and op like?
> >
> >   Read the documentation in "man rlm_pap", as suggested in the README.
> >
> >   Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070730/57149724/attachment.html>


More information about the Freeradius-Users mailing list