LDAP/MSCHAP
Phil Mayers
p.mayers at imperial.ac.uk
Fri Nov 11 08:54:30 CET 2011
On 11/10/2011 11:36 PM, Sallee, Stephen (Jake) wrote:
> Please forgive the interjection, but does anyone know of a helper
> module like ntlm_auth that would work with LDAP, seems like such a
> tool would make questions like this a non-issue.
MSCHAP is a challenge-response mechanism. To execute the cryptographic
calculation, you MUST have access to the NT or LM hashes of the users
password.
It's unclear to me what kind of "helper" module you're envisaging;
perhaps a USB-attached quantum computer that can crack the crypto in
realtime ;o)
In all seriousness - there's nothing to "help" here. People wanting to
do MSCHAP must have either:
1. The NT or LM hashes
2. The cleartext password, to generate the NT/LM hashes
3. Access to a system which will perform the MSCHAP crypto for them
(i.e. a domain controller, access via samba/ntlm_auth)
This is by design - the cryptographic properties of MSCHAP were created
intentionally to make this the case.
More information about the Freeradius-Users
mailing list