1.1.6: PAP and MySQL-stored NT-Password don't work

Stefan Winter stefan.winter at restena.lu
Wed May 9 10:57:47 CEST 2007 

Hi,

noone an idea on the issue below? Is my requirement to have PAP credentials 
verified against NT-Hashes in mySQL so unusual? I would have thought this was 
a common thing to do...

Am Donnerstag, 26. April 2007 08:51:56 schrieb Stefan Winter:
> Hi,
>
> I try to get rid of cleartext passwords stored in a MySQL db, and replace
> them by NT hashes. I set up a test environment and first tried with an
> entry in users:
>
> swinter	NT-Password := "...", Auth-Type := Accept
>
> which worked okay.
>
> Storing the same password in MySQL did NOT work, with a quite spurious
> error, see below:
>
> Nothing to do.  Sleeping until we see a request.
> rad_recv: Access-Request packet from host 127.0.0.1:52635, id=148,
> length=59 User-Name = "swinter"
>         User-Password = "test"
>         NAS-IP-Address = 255.255.255.255
>         NAS-Port = 1234
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
>   modcall[authorize]: module "preprocess" returns ok for request 1
>   modcall[authorize]: module "chap" returns noop for request 1
>   modcall[authorize]: module "mschap" returns noop for request 1
>     rlm_realm: No '@' in User-Name = "swinter", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 1
>   rlm_eap: No EAP-Message, not doing EAP
>   modcall[authorize]: module "eap" returns noop for request 1
>   modcall[authorize]: module "files" returns notfound for request 1
> radius_xlat:  'swinter'
> rlm_sql (sql): sql_set_user escaped user --> 'swinter'
> radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
> radcheck           WHERE Username = 'swinter'           ORDER BY id'
> rlm_sql (sql): Reserving sql socket id: 3
> radius_xlat:  'SELECT
> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
>eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
> usergroup.Username = 'swinter' AND usergroup.GroupName =
> radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat:  'SELECT
> id, UserName, Attribute, Value, op           FROM radreply           WHERE
> Username = 'swinter'           ORDER BY id' radius_xlat:  'SELECT
> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
>ply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
> usergroup.Username = 'swinter' AND usergroup.GroupName =
> radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released
> sql socket id: 3
>   modcall[authorize]: module "sql" returns ok for request 1
> rlm_pap: Normalizing NT-Password from hex encoding
>   modcall[authorize]: module "pap" returns updated for request 1
> modcall: leaving group authorize (returns updated) for request 1
>   rad_check_password:  Found Auth-Type pap
> auth: type "PAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group PAP for request 1
> rlm_pap: login attempt with password test
> rlm_pap: Using NT encryption.
> radius_xlat: Running registered xlat function of module mschap for
> string 'NT-Hash test'
>   rlm_mschap: Unknown expansion string "NT-Hash test"
> radius_xlat:  ''
> rlm_pap: mschap xlat failed
> rlm_pap: Passwords don't match
>   modcall[authenticate]: module "pap" returns reject for request 1
> modcall: leaving group PAP (returns reject) for request 1
> auth: Failed to validate the user.
> Delaying request 1 for 1 seconds
> Finished request 1
>
> Especially the lines
>
> radius_xlat: Running registered xlat function of module mschap for
> string 'NT-Hash test'
>   rlm_mschap: Unknown expansion string "NT-Hash test"
> radius_xlat:  ''
> rlm_pap: mschap xlat failed
>
> appear suspicious ("test" is the password"). Maybe there's some xlat
> escaping wrong?
> The configuration in use is almost as shipped, only added sql config.
>
> Greetings,
>
> Stefan Winter

Content of mySQL is:

> +----+----------+-------------+----------------------------------+----+
> | id | UserName | Attribute   | Value                            | op |
> +----+----------+-------------+----------------------------------+----+
> |  1 | swinter  | NT-Password | 0CB6948805F797BF2A82807973B89537 | := |
> +----+----------+-------------+----------------------------------+----+

and no radgroupchecks. 

Sidenote: I looked into the code of rlm_pap and its call to xlat of 
rlm_mschap. I really couldn't figure out what is supposed to happen in that 
call, the xlat string "NT-Hash <password>" has no mention at all in 
rlm_mschaps xlat. Maybe some old code section that got lost somewhen?

Greetings,

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070509/03fd36dd/attachment.pgp>

More information about the Freeradius-Users mailing list