Authentication protocols that DO support hashed passwords

E.S. Rosenberg esr+freeradius-users at mail.hebrew.edu
Wed Nov 12 14:34:43 CET 2014


On Tue, Nov 11, 2014 at 10:03 PM, Alan DeKok <aland at deployingradius.com> wrote:
> E.S. Rosenberg wrote:
>> Since the hashing functions also exist on the client side what stops
>> the protocols from basing the hash requested from the client on the
>> _hash_ of the users' password?
>
>   They're not designed to do that.
>
>   This isn't a difficult concept.  Protocols are defined to have a
> certain behavior.  You can't just randomly change the behavior, and
> expect the same results.
>
>   All of the rest of your speculations are based on inexperience, and a
> lack of understanding of how these protocols work.  We're not the ones
> who designed the protocols.  We're not the ones who implemented the
> Microsoft, Apple, etc. side of the protocols.  We're just explaining to
> you why your ideas won't work.
>
>   There's no point in discussing changes on this list.  For one, you
> don't know what changes to make, because you don't know how the
> protocols work.  For two, we don't control the protocol design or their
> implementations.
Thanks for all the explanations, this discussion has been enlightening.
As far as the don't design/control goes in some other OSS projects I
am familiar with the contributors to the project also took active
rolls in newer standards to be developed since they were also
stakeholder/parties of interest.
EAP-PWD definitely looks interesting and I'll be keeping an eye on it.

Above "supporting all existing devices" is mentioned, but we do have
the luxury with newer services to say "this service is only supported
on" (and since we are a *nix outfit that's even easier we don't have
to support MS stuff).
Regards and thanks for all your time invested in answering my questions,
Eli
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list