Crypt Passwords in SQL

Thu Nov 18 17:34:36 CET 2010

On Thursday, November 18, 2010 09:40:26 am Kenneth Marshall wrote:
> On Wed, Nov 17, 2010 at 05:00:19PM -0500, William wrote:
> > On Wednesday, November 17, 2010 04:24:32 pm Kenneth Marshall wrote:
> > > On Wed, Nov 17, 2010 at 04:15:47PM -0500, William wrote:
> > > > Greetings,
> > > > 
> > > >   First, Thanks Alan DeKok.  That was exactly what I needed for
> > > > 
> > > > NAS_Showt_Name.
> > > > 
> > > >   Second, I just discovered a new issue.  Not sure if this is a
> > > >   radius or a
> > > > 
> > > > MySQL issue.
> > > > 
> > > > When I crypt a password (MySQL CRYPT command) the password matches
> > > > anything and everything that matches the first 8 characters of the
> > > > password.
> > > > 
> > > > Is this a limitation of Radius crypt or is it a Mysql crypt ?  I need
> > > > 16+ character password that match.
> > > > 
> > > > Wm
> > > 
> > > Crypt has an 8 character limit in its specification. Some screwy
> > > systems play tricks like using the first 7 chars + the last char
> > > of a string longer than 8 chars (MacOS) instead of just the first
> > > 8, but it is still eight chars. You will need to use another
> > > encoding system for more characters.
> > 
> > What attribute would I use instead of Crypt-Password ?  I tried
> > MD5-Password and a couple of others, but I can find no documentation on
> > anything other than User-Password, Crypt-Password, ClearText-Password,
> > and CHAP-Password.
> > 
> > Wm
> 
> Crypt-Password just holds the encrypted password. It is up to you

 I tried a MD5 password of "testpassword" so that table has:
 ID|username|attribute...................|op..|value.
 1  | testuser   |  Crypt-Password  | == |  e16b2ab8d12314bf4efbd6203906ea6c 

 using SQL command that contained: SET `value` = MD5( 'testpassword' )

Radius claims the password is incorrect when I test it.

** Result from radius -X: (attribute set to CRYPT-Password)
 <snip>
 +- entering group PAP {...}
 [pap] login attempt with password "testpassword"
 [pap] Using CRYPT encryption.
 [pap] Passwords don't match
 ++[pap] returns reject
 Failed to authenticate the user.
 Login incorrect (rlm_pap: CRYPT password check failed): 
 [testuser/testpassword] (from client Local2 port 12)

**Result from radiusd -X: (attribute set to MD5-Password)
[pap] WARNING! No "known good" password found for the user.  Authentication 
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
Failed to authenticate the user.
Login incorrect: [testuser/testpassword] (from client Local2 port 12)
Using Post-Auth-Type Reject

I tried with attribute as MD5-Password.
I've read the man rlm_pap man-file.  I saw the section marked Header.  
How/where do I need to add that? or is it auto-magic?

I even tried {md5}<encrypted password here> still claoms php can't find a 
known good password.

I tried with pap's auto-header set to yes... Nothing seems to work.  Any 
 pointers or suggestions?

 Wm