PAP and NT-hashed password
sb
superabx at gmail.com
Tue Dec 30 16:28:51 CET 2014
On Tue, Dec 30, 2014 at 5:00 PM, Alan DeKok <aland at deployingradius.com>
wrote:
>
> > Full output of freeradius -X after command
> >
> > [local] performing search in dc=ourcorp,dc=net, with filter (uid=abx)
> > [local] checking if remote access for abx is allowed by dialupAccess
> > [local] Added User-Password = 1D*************************************9B
> in check items
>
> And… that’s the issue. You’ve configured it to get the User-Password
> from LDAP.
>
Yes, but how to prevent it? I have nothing about User-Password in
freeradius configs:
=================================================================
/etc/freeradius# grep -R User-Password *
attrs.pre-proxy:# User-Password =* ANY,
attrs.pre-proxy: #User-Password =* ANY,
eap.conf: # User-Password, or the NT-Password attributes.
eap.conf: # the User-Password.
eap.conf: # is put into a User-Password attribute,
eap.conf: # the module will look for a User-Password
experimental.conf: # packets containing a User-Password attribute.
modules/ntlm_auth: program = "/path/to/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}"
modules/smsotp:# The module does not check the User-Password, this should
be done with
modules/detail: # Certain attributes such as User-Password may be
modules/detail: # User-Password
modules/sql_log: ('%{User-Name}',
'%{User-Password:-Chap-Password}', \
modules/detail.log: User-Password
modules/detail.log: # User-Password
modules/pap:# In this case, the module will look inside of the
User-Password
modules/ldap:# Access-Request packet contains a clear-text User-Password
modules/ldap: # By default, if the packet contains a User-Password,
root at ukv69:/etc/freeradius#
===================================================================
Everything is commented, exclude ntlm_auth and detail.log, I believe both
are not what I have to change.
ldap.attrmap:
===================================================================
checkItem $GENERIC$ radiusCheckItem
replyItem $GENERIC$ radiusReplyItem
checkItem Auth-Type radiusAuthType
checkItem Simultaneous-Use radiusSimultaneousUse
checkItem Called-Station-Id radiusCalledStationId
checkItem Calling-Station-Id radiusCallingStationId
checkItem LM-Password lmPassword
checkItem NT-Password ntPassword
checkItem LM-Password sambaLmPassword
checkItem NT-Password sambaNtPassword
checkItem LM-Password dBCSPwd
checkitem Password-With-Header userPassword
checkItem SMB-Account-CTRL-TEXT acctFlags
checkItem Expiration radiusExpiration
checkItem NAS-IP-Address radiusNASIpAddress
====================================================================
> > [local] No default NMAS login sequence
> > [local] looking for check items in directory...
> > [local] sambaNtPassword -> NT-Password ==
> 0x31***********************************************************************42
>
> That means it’s not using the NT-Password.
>
> > Found Auth-Type = PAP
> >
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > !!! Replacing User-Password in config items with Cleartext-Password.
> !!!
> >
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > !!! Please update your configuration so that the "known good"
> !!!
> > !!! clear text password is in Cleartext-Password, and not in
> User-Password. !!!
> >
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> It helps to READ these messages and fix the problem. If you had done
> that, it would have worked.
>
I've tried, but there is nothing about User-Password in configs, so I can
not replace it with Cleartext-Password.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141230/64945e01/attachment-0001.html>
More information about the Freeradius-Users
mailing list