Ssha512 value
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Jan 22 15:05:27 CET 2015
> On 22 Jan 2015, at 19:43, Robert Graham <robert_graham at uhaul.com> wrote:
>
> Upgraded FR to the 3.0.x release and the password shows that it is ssha512
> but where in the code does the salt get pulled from? and where do I
> configure it?
There is no separate salt attribute.
update control {
SSHA2-512-Password := "0x%{sql:query to get hash in hex concatenated with salt in hex}"
}
pap
For salted hashes it's always <hash><salt>. The hash part is determined by the expected length
of the hash. So for SHA512 the first 64 bytes of the hash/salt concatenation are assumed to be
the hash, and the rest is assumed to be the salt.
The code takes the salt part, creates the concatenation of <password><salt> and passes that to
SHA512, the result of that is then compared to <hash>.
If you can't figure out how to get the hash in hex form, the server will accept base64 as an
alternative, but you should then do:
update control {
Password-With-Header := "{ssha512}%{sql:query to get hash concatenated with salt in base64}"
}
pap
The PAP module will then use heuristics to determine the correct encoding (hex or base64 or none),
and normalise the <hash><salt> to binary data.
Note: You can't just concatenate two base64 strings. If they're stored that way in the db they
would have to be separately decoded and the result concatenated.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
More information about the Freeradius-Users
mailing list