radius+ldap+peap

[Arran Cudbard-Bell]

Angelos Karageorgiou wrote:
> as a general rool of thumb ,always use clear text in the ldap databases
> where you are trying to offer enhnanced password protection like 
> cram-md5 even chap etc.
> 
> You need the original data to calculate the hashes from.
> 
> 
> O/H Alan DeKok έγραψε:
>> Arjuna Scagnetto wrote:
>> ...
>>   
>>> PEAP with user whose password is in LDAP
>>>     
>> ...
>>   
>>> userPAssword: {SSHA}tymetcetcetc
>>>     
>>   This WILL NOT WORK.  See:
>>
>> http://deployingradius.com/documents/protocols/compatibility.html
>>
>>   use clear-text passwords in LDAP.  If you can't put clear-text
>> passwords in LDAP, stop trying to use PEAP.

NO ! Calculate the damn NT Hashes... Never put users clear-text 
passwords in LDAP if you can avoid it.

Create an attribute called NTPassword map it to NT-Password .

Calculate hash using

$hash 
="0x".bin2hex(mhash(MHASH_MD4,mb_substr(mb_convert_encoding($str'UCS-2LE','auto'),0,128)));
for php.

or calculate the md4 hash of UCS-2LE encoded passphrase and prefix and 
output as hex with 0x ....

MSChapV2 will now work, which means you can use PEAP and TTLS MSCHAPv2

For PAP calculate SSHA password and prefix with {ssha}

$salt=substr(md5(mt_rand().$str),0 ,4); # Generate 4 byte salt
$hash=base64_encode(mhash(MHASH_SHA1, $str.$salt).$salt);

Use autoheader in LDAP and PAP to authenticate.

The weak point is the nt4 hash as it has no salt... and there are known 
issues with md4, but it's still better than leaving everything in cleartext.
-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900