Ssha512 value

Robert Graham robert_graham at uhaul.com
Wed Jan 28 02:06:49 CET 2015 

We were able to get the output of the salt in hex form, but getting it to
concatenate is a whole other problem. When I do research on the web and
tried all possible examples of the query, still would not give me the
information that I need.

If I have a column  that has the hashed password and a column that has a
salt that is in hexfomat... how would the

update control {
SSHA2-512-Password =: "0x%{sql:SELECT    what is the proper context to
concatenate the hashed pw in hex and the salt in hex

Robert Graham


FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
writes:
>
>> On 22 Jan 2015, at 19:43, Robert Graham <robert_graham at uhaul.com> wrote:
>> 
>> Upgraded FR to the 3.0.x release and the password shows that it is
>ssha512
>> but where in the code does the salt get pulled from? and where do I
>> configure it?
>
>There is no separate salt attribute.
>
>update control {
>	SSHA2-512-Password := "0x%{sql:query to get hash in hex concatenated
>with salt in hex}"
>}
>pap
>
>For salted hashes it's always <hash><salt>. The hash part is determined
>by the expected length
>of the hash. So for SHA512 the first 64 bytes of the hash/salt
>concatenation are assumed to be
>the hash, and the rest is assumed to be the salt.
>
>The code takes the salt part, creates the concatenation of
><password><salt> and passes that to 
>SHA512, the result of that is then compared to <hash>.
>
>If you can't figure out how to get the hash in hex form, the server will
>accept base64 as an 
>alternative, but you should then do:
>
>update control {
>	Password-With-Header := "{ssha512}%{sql:query to get hash concatenated
>with salt in base64}"
>}
>pap
>
>The PAP module will then use heuristics to determine the correct encoding
>(hex or base64 or none),
>and normalise the <hash><salt> to binary data.
>
>Note: You can't just concatenate two base64 strings. If they're stored
>that way in the db they 
>would have to be separately decoded and the result concatenated.
>
>-Arran
>
>Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>FreeRADIUS development team
>
>FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list