LDAP/MSCHAP

Andreas Rudat rudat at endstelle.de
Sun Nov 13 12:30:50 CET 2011


Am 12.11.2011 23:00, schrieb Sven Hartge:
> Sven Hartge <sven at svenhartge.de> wrote:
>> Andreas Rudat <rudat at endstelle.de> wrote:
>>> Am 11.11.2011 03:56, schrieb Fajar A. Nugraha:
>>>> On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten <Ggatten at waddell.com> wrote:
>>>>> I agree with Jake, in that I *think* it would be possible to have a
>>>>> plugin or whatever interface with LDAP/AD in the same manner
>>>>> ntlm_auth does.  I don't think one *needs* a cleartext password,
>>>>> but does need some way to compare apples-to-apples.
>>>> That's exactly what Alan is saying: " store your passwords in the
>>>> LDAP as NT-Password or LM-Password "
>>> But if that works, why then all are saying that you can just work
>>> with plaintext? Its realy confusing.
>> NT/LM-Password is "special". This is why it works with MSCHAPv2, both
>> being a MicroSoft "invention".
> To be precise: MSCHAPv2 works with the NT/LM-Password as input to the
> Challenge-Handshake and not the "raw" cleartext password. This is why
> this works.
>
> FreeRADIUS converts a cleartext password into the needed NT-Hash and
> then applies this to the MSCHAPv2 handshake. Or it uses a pre-existing
> NT-Hash from LDAP/MySQL/whatever.
>
> Quote from http://en.wikipedia.org/wiki/NTLM
> ,----
> | The NTLM protocol uses one or both of two hashed password values, both
> | of which are also stored on the server (or domain controller), and which
> | are password equivalent, meaning that if you grab the hash value from
> | the server, you can authenticate without knowing the actual password.
> `----
>
> This also means you have to protect those Hashes inside your database
> like a raw cleartext password, as you can authenticate to any Windows
> box with the knowledge of the NT/LM-Hash.
>
> This has been exploitet by several Windows trojan horses, which grabbed
> to NT-Hash from the Administrator user to login into other boxes on the
> network using the same password (or worse: the domain controller).
>
> Grüße,
> S
Ah much thanks for that clearing, so both is bad no matter which
mechnism is used.

Andreas

-- 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)

mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p
YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1
QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp
gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r
STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH
YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9
jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S
wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf
wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl
LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA
CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih
XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt
PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR
hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo
YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh
bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn
tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1
teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv
33k4P9hxJKHNqLYJN+Gn
=UaS9
-----END PGP PUBLIC KEY BLOCK-----




More information about the Freeradius-Users mailing list