Ssha512 value

Arran Cudbard-Bell a.cudbardb at
Thu Jan 22 15:05:27 CET 2015

> On 22 Jan 2015, at 19:43, Robert Graham <robert_graham at> wrote:
> Upgraded FR to the 3.0.x release and the password shows that it is ssha512
> but where in the code does the salt get pulled from? and where do I
> configure it?

There is no separate salt attribute.

update control {
	SSHA2-512-Password := "0x%{sql:query to get hash in hex concatenated with salt in hex}"

For salted hashes it's always <hash><salt>. The hash part is determined by the expected length
of the hash. So for SHA512 the first 64 bytes of the hash/salt concatenation are assumed to be
the hash, and the rest is assumed to be the salt.

The code takes the salt part, creates the concatenation of <password><salt> and passes that to 
SHA512, the result of that is then compared to <hash>.

If you can't figure out how to get the hash in hex form, the server will accept base64 as an 
alternative, but you should then do:

update control {
	Password-With-Header := "{ssha512}%{sql:query to get hash concatenated with salt in base64}"

The PAP module will then use heuristics to determine the correct encoding (hex or base64 or none),
and normalise the <hash><salt> to binary data.

Note: You can't just concatenate two base64 strings. If they're stored that way in the db they 
would have to be separately decoded and the result concatenated.


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

More information about the Freeradius-Users mailing list