Sven Hartge sven at svenhartge.de
Sun Nov 13 15:38:58 CET 2011

Andreas Rudat <rudat at endstelle.de> wrote:
> Am 12.11.2011 23:00, schrieb Sven Hartge:

>> This also means you have to protect those Hashes inside your database
>> like a raw cleartext password, as you can authenticate to any Windows
>> box with the knowledge of the NT/LM-Hash.
>> This has been exploitet by several Windows trojan horses, which
>> grabbed to NT-Hash from the Administrator user to login into other
>> boxes on the network using the same password (or worse: the domain
>> controller).

> Ah much thanks for that clearing, so both is bad no matter which
> mechnism is used.

Yes. Storing the NT-Hash has the advantage of not completley exposing
the cleartext password to a possible intruder. Storing the LM-Hash is
just dumb, because a) it limits the the length of the password to 16
characters and b) LM-Hash is easily broken in seconds by todays

Storing the raw cleartext password is as bad, but it enables one to use
other challange-handshake auths, if needed.

I chose to store the raw cleartext password in LDAP, but in a different
attribute than the normal userPassword.

This way, if my LDAP servers ever get compromised (or I mess up with an
ACL, enabling anyone to read the cleartext password), just the
WLAN/Dialup-Password of a user is revealed and not the master password
for the account, which is used for mail, login in to computers, etc.


Sigmentation fault. Core dumped.

More information about the Freeradius-Users mailing list