Backslash in password failing with NT-Password hashes

Dave Duchscher daved at nostrum.com
Tue Oct 21 15:22:15 CEST 2014


We had a strange case where a users was unable to authenticate with our VPN server but could on wireless.  I think I have tracked down the problem and am hoping I can get help with a fix.

My test environment is a stock freeradius 2.2.5 server with default configuration files. The only change was to manually add the NT-Password to check to the authorize section.

 update control {
   NT-Password := 'CD09F6070B94F498FC9D6668800E6854';
 }

That is the NT hash for the password 'pass\word'.  Test client is radtest on the same system.

 radtest -d /usr/local/etc/raddb -t pap -x username pass\\word localhost 100 testing123

Testing this with the NT hash for the password 'password' works.  When I test with password 'pass\word', I see the wrong NT hash being generated so authentication fails.

 Tue Oct 21 08:03:54 2014 : Info: [pap] login attempt with password "pass\word"
 Tue Oct 21 08:03:54 2014 : Info: [pap] Using NT encryption.
 Tue Oct 21 08:03:54 2014 : Info: [pap] 	expand: %{User-Password} -> pass\\word
 Tue Oct 21 08:03:54 2014 : Info: [pap] NT-Hash of pass\\word = 5a022f09a08097a8f2ca5d16ef3df23e
 Tue Oct 21 08:03:54 2014 : Info: [pap] 	expand: %{mschap:NT-Hash %{User-Password}} -> 5a022f09a08097a8f2ca5d16ef3df23e
 Tue Oct 21 08:03:54 2014 : Info: [pap] Passwords don't match

From what I am seeing it look like the password is sent across correctly but then the backslash is escaped and that escaped result is hashed which gets us to the wrong hash.

Any ideas?

--
Dave



More information about the Freeradius-Users mailing list