PAM, ms-chap and shadow passwords

Nicolas Goutte nicolas.goutte at
Mon Jun 9 18:16:00 CEST 2008

Am 09.06.2008 um 17:58 schrieb up at

> I understand that radius authenticating ppp (PPTP in this case)  
> connections against shadow passwords requires cleartext  
> authentication (PAP).
> Does PAM allow you to work around this?  From reading what I can  
> find on PAM, it would seem that FreeRADIUS would pass off the  
> authentication request to PAM and PAM could then take care of the  
> crypt/decrypt, thus allowing CHAP or MSCHAP client authentication  
> against shadow passwords.

PAM cannot do anything more.

The problem is that shadow passwords are hashed in one way, MS-CHAP  
hashes another way. So the hashes are incompatibles and you cannot  
decode hashes; that is why there are made for. (There is no "decrypt"  
for this reason.)

One possible way is to check again Samba passwords if it is something  
possible for you to have.

> Is this correct?

No. sorry.

> TIA,

Have a nice day!

> James Smallacombe		      PlantageNet, Inc. CEO and Janitor
> up at	
> ====================================================================== 
> ===
> -
> List info/subscribe/unsubscribe? See 
> users.html

Nicolas Goutte

extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841

More information about the Freeradius-Users mailing list