encrypted passwords in users file
ashish verma
ashish.scit at gmail.com
Thu Mar 13 12:35:35 CET 2008
Hi all,
Is it possible to keep encrypted passwords in users file?
For e.g. test Cleartext-Password := "test"
Service-type = NAS-Prompt-User
instead of cleartext can we have encrypted passwords here.
Thanks.
On Thu, Mar 13, 2008 at 4:32 PM, <
freeradius-users-owner at lists.freeradius.org> wrote:
> You are not allowed to post to this mailing list, and your message has
> been automatically rejected. If you think that your messages are
> being rejected in error, contact the mailing list owner at
> freeradius-users-owner at lists.freeradius.org.
>
>
>
> ---------- Forwarded message ----------
> From: "ashish verma" <ashish.scit at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Date: Thu, 13 Mar 2008 16:32:21 +0530
> Subject: encrypted passwords in users file
> Hi all,
>
> Is it possible to keep encrypted passwords in users file?
>
> For e.g. test Cleartext-Password := "test"
> Service-type = NAS-Prompt-User
>
> instead of cleartext can we have encrypted passwords here.
>
> Thanks.
>
>
>
> On Tue, Oct 23, 2007 at 2:03 PM, <
> freeradius-users-request at lists.freeradius.org> wrote:
>
> > Send Freeradius-Users mailing list submissions to
> > freeradius-users at lists.freeradius.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://lists.freeradius.org/mailman/listinfo/freeradius-users
> > or, via email, send a message with subject or body 'help' to
> > freeradius-users-request at lists.freeradius.org
> >
> > You can reach the person managing the list at
> > freeradius-users-owner at lists.freeradius.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Freeradius-Users digest..."
> >
> >
> > Today's Topics:
> >
> > 1. Are SHA-256 certificates supported? (hannu.lammi at wipsl.com)
> > 2. Re: Freeradius doesn't detect EAP when authenticating against
> > MySQL (Alan DeKok)
> > 3. Re: TTLS with Mutual Authentication (Alan DeKok)
> > 4. Re: Are SHA-256 certificates supported? (Alan DeKok)
> > 5. FreeRADIUS and SNMP questions (Geoffroy Arnoud)
> > 6. Re: Freeradius doesn't detect EAP when authenticating against
> > MySQL (primoz)
> > 7. Re: FreeRADIUS and SNMP questions (Alan DeKok)
> > 8. Re: Freeradius doesn't detect EAP when authenticating against
> > MySQL (Alan DeKok)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Tue, 23 Oct 2007 10:10:05 +0300 (EEST)
> > From: hannu.lammi at wipsl.com
> > Subject: Are SHA-256 certificates supported?
> > To: freeradius-users at lists.freeradius.org
> > Message-ID: <14671.192.100.116.143.1193123405.squirrel at mail.wipsl.com>
> > Content-Type: text/plain;charset=utf-8
> >
> > Hi,
> >
> > I need to set up a RADIUS server that accepts certificates which use
> > SHA-256 as signature algorithm (OID sha256WithRSAEncryption). I have set
> > up a FreeRADIUS 2.0.0-pre2 server to see if this would work out of the
> > box.
> >
> > After verifying that EAP-TLS authentication works with SHA-1
> > certificates
> > I switched to SHA-256 certificate that was created with OpenSSL 0.9.8b,
> > the same that FreeRADIUS was compiled against.
> >
> > Here's a snippet of the log I got from my SHA-256 test:
> >
> > =====
> > --> verify error:num=7:certificate signature failure
> > rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
> > TLS Alert write:fatal:decrypt error
> > TLS_accept:error in SSLv3 read client certificate B
> > rlm_eap: SSL error error:0D0C50A1:asn1 encoding
> > routines:ASN1_item_verify:unknown message digest algorithm
> > =====
> >
> > It would seem there's a problem somewhere. It may very well be in the
> > client I'm using.
> >
> > So, I'd like to know if FreeRADIUS supports SHA-256 certificates?
> > If it doesn't, is the support for them planned?
> >
> > thanks in advance,
> > - Hannu
> >
> >
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Tue, 23 Oct 2007 09:12:03 +0200
> > From: Alan DeKok <aland at deployingradius.com>
> > Subject: Re: Freeradius doesn't detect EAP when authenticating against
> > MySQL
> > To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> > Message-ID: <471D9EC3.4090609 at deployingradius.com>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > preem wrote:
> > > So, what is a common practice to do this then?
> >
> > It's not.
> >
> > People store MD5 or crypt'd passwords when the ONLY authentication
> > they're doing is PAP. i.e. Unix logins, where the user supplies a
> > clear-text password to the authentication system.
> >
> > For many EAP types, people do NOT store MD5 or crypt'd passwords,
> > because they're useless.
> >
> > > I understand its not very
> > > safe nor sane to store passwords in clear text, thats why I wanted to
> > avoid
> > > that, however it seems inevitable.
> >
> > It is safe, sane, and common practice to store passwords in clear text.
> >
> > > I am managing a wired network for some 300 users, its a student dorm
> > and the
> > > university owns the network and they require authentication for the
> > ease of
> > > management and control. 802.1x felt like the right way to go, because
> > we are
> > > planning some wireless access points as well. There are HP's Procurve
> > 2650
> > > switches in use. I choose mysql db backend, because I also created set
> > of
> > > PHP scripts, where users can change their passwords and admin can
> > > add/del/modify user info.
> > > So what can one do to avoid storing passes in clear text or is it sane
> > > enough? The server also serves some web pages and dhcp requests.
> >
> > Ensure that no one has physical access to the system storing the
> > passwords. Ensure that no one has network access to the system storing
> > the passwords.
> >
> > I would also suggest running the RADIUS server and/or the MySQL server
> > with passwords on a separate machine from the web/dhcp server. That
> > way, if someone breaks into the web server, they won't have access to
> > the passwords.
> >
> > Alan DeKok.
> >
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Tue, 23 Oct 2007 09:23:50 +0200
> > From: Alan DeKok <aland at deployingradius.com>
> > Subject: Re: TTLS with Mutual Authentication
> > To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> > Message-ID: <471DA186.5030601 at deployingradius.com>
> > Content-Type: text/plain; charset=UTF-8
> >
> > Zolotov, Eyal wrote:
> > > By ?mutual authentication? I refer to the following authentication
> > process:
> > >
> > > 1. The client authenticate the server
> >
> > Give the client the CA cert used to sign the server cert.
> >
> > > 2. The server authenticate the client
> >
> > Create a client cert, signed by the server cert.
> >
> > > 3. Only than ? the clients sends username + password using
> > MSCHAPv2
> >
> > In unlang, set:
> >
> > update control {
> > EAP-TLS-Require-Client-Cert = yes
> > }
> >
> > This forces the server to validate the client cert, which is normally
> > not required for TTLS.
> >
> > Alan DeKok.
> >
> >
> > ------------------------------
> >
> > Message: 4
> > Date: Tue, 23 Oct 2007 09:25:33 +0200
> > From: Alan DeKok <aland at deployingradius.com>
> > Subject: Re: Are SHA-256 certificates supported?
> > To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> > Message-ID: <471DA1ED.9050806 at deployingradius.com>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > hannu.lammi at wipsl.com wrote:
> > > I need to set up a RADIUS server that accepts certificates which use
> > > SHA-256 as signature algorithm (OID sha256WithRSAEncryption). I have
> > set
> > > up a FreeRADIUS 2.0.0-pre2 server to see if this would work out of the
> > > box.
> >
> > If OpenSSL supports it, AND the client supplicant supports it, it
> > should work.
> >
> > > Here's a snippet of the log I got from my SHA-256 test:
> > >
> > > =====
> > > --> verify error:num=7:certificate signature failure
> > > rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
> > > TLS Alert write:fatal:decrypt error
> > > TLS_accept:error in SSLv3 read client certificate B
> > > rlm_eap: SSL error error:0D0C50A1:asn1 encoding
> > > routines:ASN1_item_verify:unknown message digest algorithm
> >
> > That would seem to be an SSL issue.
> >
> > > So, I'd like to know if FreeRADIUS supports SHA-256 certificates?
> > > If it doesn't, is the support for them planned?
> >
> > FreeRADIUS doesn't support SSL. It uses OpenSSL, which *does* support
> > SSL. So if there are SSL issues, find out why OpenSSL doesn't like the
> > TLS session.
> >
> > Alan DeKok.
> >
> >
> > ------------------------------
> >
> > Message: 5
> > Date: Tue, 23 Oct 2007 10:04:23 +0200 (CEST)
> > From: Geoffroy Arnoud <garnoud at yahoo.co.uk>
> > Subject: FreeRADIUS and SNMP questions
> > To: FreeRADIUS users <freeradius-users at lists.freeradius.org>
> > Message-ID: <626622.60897.qm at web27314.mail.ukl.yahoo.com>
> > Content-Type: text/plain; charset=iso-8859-1
> >
> > Hi all,
> >
> > I have 2 questions regarding FreeRADIUS and SNMP:
> >
> > 1/ Is it possible to run 2 FreeRADIUS servers on the
> > same box, with SNMP support activated? I understand
> > it's possible, using distinct values for smux_password
> > parameter.
> >
> > 2/ Connecting FreeRADIUS to Net-SNMP using SMUX is
> > quite easy. Has anyone connected FreeRADIUS with BMC
> > PAtrol agent using SMUX?
> >
> > Thanks for any answer
> >
> > Geoff.
> >
> >
> >
> > _____________________________________________________________________________
> > Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo!
> > Mail
> >
> >
> > ------------------------------
> >
> > Message: 6
> > Date: Tue, 23 Oct 2007 10:08:22 +0200
> > From: primoz <primski at gmail.com>
> > Subject: Re: Freeradius doesn't detect EAP when authenticating against
> > MySQL
> > To: "FreeRadius users mailing list"
> > <freeradius-users at lists.freeradius.org>
> > Message-ID:
> > <ead364dc0710230108u752b2593h4a7885ca04e61ce7 at mail.gmail.com>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > On 10/23/07, Alan DeKok <aland at deployingradius.com> wrote:
> > >
> > > preem wrote:
> > > > So, what is a common practice to do this then?
> > >
> > > It's not.
> > >
> > > People store MD5 or crypt'd passwords when the ONLY authentication
> > > they're doing is PAP. i.e. Unix logins, where the user supplies a
> > > clear-text password to the authentication system.
> >
> >
> >
> > And PAP is not very safe and smart way to go as i read it.
> >
> > For many EAP types, people do NOT store MD5 or crypt'd passwords,
> > > because they're useless.
> >
> >
> >
> > So, crypted passwords are usefull only in web applications? I read a lot
> > lately about, how one should never store passwords in clear text, i
> > guess
> > that applies only to web apps.
> >
> > > I understand its not very
> > > > safe nor sane to store passwords in clear text, thats why I wanted
> > to
> > > avoid
> > > > that, however it seems inevitable.
> > >
> > > It is safe, sane, and common practice to store passwords in clear
> > text.
> >
> >
> >
> > I do not have many experience with this, in fact its my first project on
> > the
> > matter.
> >
> > > I am managing a wired network for some 300 users, its a student dorm
> > and
> > > the
> > > > university owns the network and they require authentication for the
> > ease
> > > of
> > > > management and control. 802.1x felt like the right way to go,
> > because we
> > > are
> > > > planning some wireless access points as well. There are HP's
> > Procurve
> > > 2650
> > > > switches in use. I choose mysql db backend, because I also created
> > set
> > > of
> > > > PHP scripts, where users can change their passwords and admin can
> > > > add/del/modify user info.
> > > > So what can one do to avoid storing passes in clear text or is it
> > sane
> > > > enough? The server also serves some web pages and dhcp requests.
> > >
> > > Ensure that no one has physical access to the system storing the
> > > passwords. Ensure that no one has network access to the system
> > storing
> > > the passwords.
> >
> >
> >
> > That will be no problem, since I'm the only one with physical access.
> >
> > I would also suggest running the RADIUS server and/or the MySQL server
> > > with passwords on a separate machine from the web/dhcp server. That
> > > way, if someone breaks into the web server, they won't have access to
> > > the passwords.
> >
> >
> > I am using VMWare server, so that won't require much work.
> >
> > Alan DeKok.
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> >
> >
> >
> > Thanks again, for clearing this up.
> >
> > primski
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <
> > https://lists.freeradius.org/pipermail/freeradius-users/attachments/20071023/4d843567/attachment-0001.html
> > >
> >
> > ------------------------------
> >
> > Message: 7
> > Date: Tue, 23 Oct 2007 10:28:52 +0200
> > From: Alan DeKok <aland at deployingradius.com>
> > Subject: Re: FreeRADIUS and SNMP questions
> > To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> > Message-ID: <471DB0C4.3030305 at deployingradius.com>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > Geoffroy Arnoud wrote:
> > > 1/ Is it possible to run 2 FreeRADIUS servers on the
> > > same box, with SNMP support activated? I understand
> > > it's possible, using distinct values for smux_password
> > > parameter.
> >
> > I'm not sure. FreeRADIUS tries to grab the IETF RADIUS SNMP OID
> > space. If there are two servers, they may conflict with their OID
> > registration.
> >
> > Perhaps it would be useful to *also* export the IETF SNMP space under
> > a configurable hierarchy?
> >
> > > 2/ Connecting FreeRADIUS to Net-SNMP using SMUX is
> > > quite easy. Has anyone connected FreeRADIUS with BMC
> > > PAtrol agent using SMUX?
> >
> > Not me, sorry.
> >
> > Alan DeKok.
> >
> >
> > ------------------------------
> >
> > Message: 8
> > Date: Tue, 23 Oct 2007 10:32:48 +0200
> > From: Alan DeKok <aland at deployingradius.com>
> > Subject: Re: Freeradius doesn't detect EAP when authenticating against
> > MySQL
> > To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> > Message-ID: <471DB1B0.1000409 at deployingradius.com>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > primoz wrote:
> > > And PAP is not very safe and smart way to go as i read it.
> >
> > PAP is fine for RADIUS.
> >
> > > So, crypted passwords are usefull only in web applications?
> >
> > That's not at all what I said. I specifically mentioned Unix logins.
> > Crypt'd passwords are useful only for PAP. There are many, many, kinds
> > of systems using clear-text passwords (i.e. PAP) for authentication.
> >
> > > I read a lot
> > > lately about, how one should never store passwords in clear text, i
> > > guess that applies only to web apps.
> >
> > No. It's written by people who either don't understand security, OR
> > aren't using EAP methods. Again, if all you're doing is PAP, then
> > crypt'd passwords are OK. If you need EAP, you also need clear-text
> > passwords.
> >
> > Stop trying to apply comments from web application "how-to's" to
> > RADIUS. They're not the same, and the security analysis is not the
> > same.
> >
> > > It is safe, sane, and common practice to store passwords in
> > clear
> > > text.
> > >
> > > I do not have many experience with this, in fact its my first project
> > on
> > > the matter.
> >
> > Then why are you questioning the answers you get here?
> >
> > Alan DeKok.
> >
> >
> > ------------------------------
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> > End of Freeradius-Users Digest, Vol 30, Issue 82
> > ************************************************
> >
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080313/c725a333/attachment.html>
More information about the Freeradius-Users
mailing list