store encypted passwords

Matthias Nagel matthias.h.nagel at gmail.com
Tue Oct 9 18:32:08 CEST 2012 

Am Dienstag 09 Oktober 2012, 09:10:15 schrieben Sie:
> I was mixed up on what table I am talking about its the radcheck
> table. I was using navicat to set the attribute to Crypt-Password and
> refreshing the database. The password stayed in plain text.
>

I do not use MySQL a lot and I have never used Navicat before, but what I can see from the homepage, that this only is a GUI to administrate MySQL by wrapping SQL statements into a user-friendly interface.

Hence, I assume all what you essentially did is to perform a statement like:

UPDATE radcheck set attribute = 'Crypt-Password' WHERE attribute = 'Cleartext-Password'

Of course this does not change the value in the column 'value'. Why should it be otherwise? MySQL (and Navicat) does not know anything about FreeRadius. If you only update the column "attribute" nothing else will be modified. This is normal SQL behaviour. You are also responsible to modify the column "attribute" accordingly. This means you have to fill in the encrypted version of the password. No one else will do this for you.

As I said before you must use something like

UPDATE radcheck set attribute = 'Crypt-Password', value = SOME_FANCY_CONVERT_FUNCTION( value ) WHERE some_senseful_condition_here;

where SOME_FANCY_CONVERT_FUNCTION takes the cleartext and converts it into the encrypted version. I have never used FreeRadius with MySQL, so I cannot be more specific on SOME_FANCY_CONVERT_FUNCTION.

But I am astonished on some other fact. If you changed 'Cleartext-Password' to 'Crypt-Password' but did not change the value attribute, authentication must fail. Because FreeRadius now treats the value as the encrypted version which it is not. How can it be that you wrote nothing changed?

To be absolutely clear, the possible values for the 'attribute' column to specify a password are:

Cleartext-Password
Crypt-Password
MD5-Password
SMD5-Password
SHA-Password
SSHA-Password
NT-Password
LM-Password

The value of the 'value' column must be the correctly encrypted password with reference to what kind of password you use. That is what I meant by "change accordingly". And secondly everything must support the authentication protocol.

> 
> On Mon, Oct 8, 2012 at 4:29 PM, Matthias Nagel
> <matthias.h.nagel at gmail.com> wrote:
> > Hello,
> >
> > first, please use the correct way of quoting for mailing list. This is to say, write your comments below the original text that it refers to. That way readers who pick up a thread later can follow more easily. But now back to topic.
> >
> > Am Montag 08 Oktober 2012, 16:17:52 schrieb jon jon:
> >> On Mon, Oct 8, 2012 at 4:02 PM, Matthias Nagel
> >> <matthias.h.nagel at gmail.com> wrote:
> >>> Hello,
> >>>
> >>>> I have set up FreeRADIUS Version 2.1.10 on an Ubuntu server 12.04,
> >>>> Mysql Server version: 5.5.24. Everything is up and running but the
> >>>> users passwords are stored in plain text in raddacct. I tried changing
> >>>> the attribute to Crypt-Password but it doesn't change anything.
> >>>
> >>> What do you mean by "doesn't change anything"? If you have changed the attribute name to "Crypt-Password" and you also modified the attribute's value accordingly, what do you expect? If it still works, then be happy.
> >>
> >> doesn't change anything = password is still showing as plain text. What do mean by " modified the attribute's value accordingly"?
> >
> > You wrote that you changed clear text passwords to crypt-passwords. This means to me you updated your database, hence your database does not show clear text passwords anymore. What exactly did you do, when you changed from clear text to crypt-passwords?
> >
> > I assumed to did something like this:
> >
> > UPDATE radcheck set attribute = 'Crypt-Password', value = SOME_FANCY_CONVERT_FUNCTION( value ) WHERE some_senseful_condition_here;
> >
> > Anyway, I now notice that you were speaking of "radacct". This table is not to show any password at all.
> >
> >>>
> >>>
> >>>> Do I
> >>>> need to make a change to a config file also? Not sure what type of
> >>>> encryption would be best one that works MD5?
> >>>
> >>> For a copatibilty of password encryption schemes and protocols, see here:
> >>> http://deployingradius.com/documents/protocols/compatibility.html
> >>>
> >>>> Thanks,
> >>>
> >>> Matthias
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
----------------------------------------------------------------------
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe

Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: matthias.h.nagel at gmail.com
ICQ: 499797758
Skype: nagmat84

More information about the Freeradius-Users mailing list