Problem with crypt passwords matching
Doug Hardie
bc979 at lafn.org
Thu Aug 16 01:46:09 CEST 2012
On 15 August 2012, at 14:23, Fajar A. Nugraha wrote:
> On Thu, Aug 16, 2012 at 3:40 AM, Robert Haskins
> <robert.haskins at gmail.com> wrote:
>> I get a reject, even though the
>> crypt'd passwords match!
>
> That's not how crypt works. You don't compare the crypted password.
>
>
>> [pap] login attempt with password "krt444"
>
> that is what the user sends
>
>> [pap] Using CRYPT password "*3u.3LS/VKTOVc"
>
> that is what FR reads from whatever backend which stores user
> information (in your case, should be the unix module)
>
>> The crypt'd password ("*3u.3LS/VKTOVc") is exactly what is in the
>> /etc/shadow file.
>
> because that's where FR reads it from, of course it's the same.
>
>> So I am confident the shared secret is correct.
>
> Shared secret has nothing to do with your problem.
>
>> What am I doing wrong?
>
> Simple. Is "krt444" the correct password? FR says it's not.
>
I don't know for sure about your system, but most Unix based systems will not generate a * in the encrypted password. Normally that is used to indicate a locked or disabled account. From the FreeBSD man pages:
A password of `*' indicates that password authentication is disabled for
that account (logins through other forms of authentication, e.g., using
ssh(1) keys, will still work). The field only contains encrypted pass-
words, and `*' can never be the result of encrypting a password.
You might want to try reentering that password or check your man pages.
More information about the Freeradius-Users
mailing list