Ssha512 value

Robert Graham robert_graham at
Wed Jan 28 02:06:49 CET 2015

We were able to get the output of the salt in hex form, but getting it to
concatenate is a whole other problem. When I do research on the web and
tried all possible examples of the query, still would not give me the
information that I need.

If I have a column  that has the hashed password and a column that has a
salt that is in hexfomat... how would the

update control {
SSHA2-512-Password =: "0x%{sql:SELECT    what is the proper context to
concatenate the hashed pw in hex and the salt in hex

Robert Graham

FreeRadius users mailing list <freeradius-users at>
>> On 22 Jan 2015, at 19:43, Robert Graham <robert_graham at> wrote:
>> Upgraded FR to the 3.0.x release and the password shows that it is
>> but where in the code does the salt get pulled from? and where do I
>> configure it?
>There is no separate salt attribute.
>update control {
>	SSHA2-512-Password := "0x%{sql:query to get hash in hex concatenated
>with salt in hex}"
>For salted hashes it's always <hash><salt>. The hash part is determined
>by the expected length
>of the hash. So for SHA512 the first 64 bytes of the hash/salt
>concatenation are assumed to be
>the hash, and the rest is assumed to be the salt.
>The code takes the salt part, creates the concatenation of
><password><salt> and passes that to 
>SHA512, the result of that is then compared to <hash>.
>If you can't figure out how to get the hash in hex form, the server will
>accept base64 as an 
>alternative, but you should then do:
>update control {
>	Password-With-Header := "{ssha512}%{sql:query to get hash concatenated
>with salt in base64}"
>The PAP module will then use heuristics to determine the correct encoding
>(hex or base64 or none),
>and normalise the <hash><salt> to binary data.
>Note: You can't just concatenate two base64 strings. If they're stored
>that way in the db they 
>would have to be separately decoded and the result concatenated.
>Arran Cudbard-Bell <a.cudbardb at>
>FreeRADIUS development team
>FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list