pptpd+freeradius+ldap: which password encryption can I use?

John Dennis jdennis at redhat.com
Tue Apr 30 14:54:18 CEST 2013

On 04/30/2013 06:11 AM, Alberto Aldrigo wrote:
> Hi Everybody,
> I'm trying to setup a PPTPD server which would authenticate users using
> my openLDAP user database, in doing so I need freeradius.
> By now the only setup that actually works is: users in LDAP with clear
> text password.
> Obviously I want to use some kind of encryption for passwords and I
> don't like the solution of using cleartext passwords and the use of a
> specific user allowed to access to the password attribute, so my
> question is: which other possibilities I have?
> Looking to this table
> http://deployingradius.com/documents/protocols/compatibility.html I
> understand that I can use pap + sha1 but I can't understand how. Can
> anyone help me understand what is possible and what not?
> Many thanks

cleartext passwords should work for most everything as shown in the 
compatibility table, if it's not you've broken something.

You other option is to hash your passwords, refer to the table for what 
will work, you'll probably need to prefix your password values with a 
scheme prefix.

However hashing is *not* encryption nor is hashing secure. Do not depend 
on hashing to provide protection! Most hashes can be broken easily, This 
is especially true if they can be retrieved for offline cracking which 
is the gift you're giving your attacker if you don't lock down your 
password attributes.

Bottom line, there is no short-cut or excuse not to lock down password 
attributes with ACL's such that only a select subset of users can see 
them (e.g. radiusd, root).

John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list