PHP MD5 with appended salt

René Klomp rene at klomp.ws
Thu Mar 7 17:15:17 CET 2013


>  xlat are placeholders in strings, usually used for substituting attribute values, for example: 

>  
>  update reply {
>          Reply-Message := "Hello %{User-Name}"
>  }
>  
>  The %{User-Name} is an xlat expansion.
>  
>  The xlat expansion "%{md5:<text>}" expands to an md5 hash of <text>. So you have something like:
>  
>  if ("%{md5:%{User-Password}:%{Salt}}" == %{<database password>}) {
>          update control {
>                  Auth-Type := 'Access-Accept'
>          }
>  }
>  
>  There's also an %{sql:<text>} xlat, which executes the <text> portion as a query and expands to the first column of the first row in the result set.
>  
>  In the above condition you could use the sql xlat in place of %{Salt} and %{<database password>} to retrieve the bits of info you need to authenticate the user, though it's a little  inefficient as you have to query twice. 
>  
>  There are ways to work around the limitations of sql xlat, for example you can CONCAT the values of two columns and then break them apart with a regex and capture groups. See man unlang.
>  
>  -Arran


Nice :) 


I have added the follwing to my autorize section and it works:



        if ("%{md5:%{User-Password}:<SALT>}" ==  "%{sql:SELECT radcheck.value FROM `radcheck` WHERE radcheck.username ='%{User-Name}'}") {
                update control {
                        Auth-Type := 'Accept'
                }
        }
        else{
                sql  #to make sure that the sql module is loaded.
        }


Is there a better war to solve the loading of the sql module?
If it do not include the else section, the %{sql:...} does not work. But if I place it outside the else or when the user enters the wrong password the database is queried twice.


Thanks for your help


- Rene


More information about the Freeradius-Users mailing list