PHP MD5 with appended salt
René Klomp
rene at klomp.ws
Thu Mar 7 17:15:17 CET 2013
> xlat are placeholders in strings, usually used for substituting attribute values, for example:
>
> update reply {
> Reply-Message := "Hello %{User-Name}"
> }
>
> The %{User-Name} is an xlat expansion.
>
> The xlat expansion "%{md5:<text>}" expands to an md5 hash of <text>. So you have something like:
>
> if ("%{md5:%{User-Password}:%{Salt}}" == %{<database password>}) {
> update control {
> Auth-Type := 'Access-Accept'
> }
> }
>
> There's also an %{sql:<text>} xlat, which executes the <text> portion as a query and expands to the first column of the first row in the result set.
>
> In the above condition you could use the sql xlat in place of %{Salt} and %{<database password>} to retrieve the bits of info you need to authenticate the user, though it's a little inefficient as you have to query twice.
>
> There are ways to work around the limitations of sql xlat, for example you can CONCAT the values of two columns and then break them apart with a regex and capture groups. See man unlang.
>
> -Arran
Nice :)
I have added the follwing to my autorize section and it works:
if ("%{md5:%{User-Password}:<SALT>}" == "%{sql:SELECT radcheck.value FROM `radcheck` WHERE radcheck.username ='%{User-Name}'}") {
update control {
Auth-Type := 'Accept'
}
}
else{
sql #to make sure that the sql module is loaded.
}
Is there a better war to solve the loading of the sql module?
If it do not include the else section, the %{sql:...} does not work. But if I place it outside the else or when the user enters the wrong password the database is queried twice.
Thanks for your help
- Rene
More information about the Freeradius-Users
mailing list