Authentication protocols that DO support hashed passwords

E.S. Rosenberg esr+freeradius-users at mail.hebrew.edu
Mon Nov 10 20:18:15 CET 2014


On Mon, Nov 10, 2014 at 9:05 PM, Alan DeKok <aland at deployingradius.com> wrote:
> E.S. Rosenberg wrote:
>> Which in turn links to a nice page by Alan DeKok here:
>> http://deployingradius.com/documents/protocols/compatibility.html
>>
>> Which left me asking myself 2 questions:
>> 1. Did anything change in the past 5 years, is there any decently
>> supported protocol that does support hashed passwords (other then
>> PAP)?
>
>   MD5 etc. hasn't changed in the last 5 years.  So the table (and
> conclusions) haven't changed either.
No new EAP on the block that handles passwords stored in salted hashes?
>
>> 2. How can it be that all these protocols were designed with the idea
>> that the auth server should have a cleartext copy of the users'
>> password, haven't we all known for years now that that's a bad idea?
>
>   Because different people have different needs.  And most people don't
> think about RADIUS until it's too late to change their password storage
> method.
I understand that, my question is more "How is it that the various
RADIUS protocols can only work with cleartext passwords known on the
RADIUS server side?"
To me (someone who has been doing systemadmin/network admin/(web)
development work) it seems like the most obvious thing in the world
that I don't want my users passwords to be stored anywhere where
me/any of my co-workers can get to them in cleartext and since root
can get everywhere that means cleartext passwords belong nowhere.

Now I may be naive or have never tried to develop an AUTH protocol, so
I am just very curious what the arguments are to store cleartext?
Regards and thanks for the quick reply,
Eli
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list