MD5-Password attribute

Alan DeKok aland at
Mon May 16 17:14:16 CEST 2016

On May 16, 2016, at 11:08 AM, Michael Hocke <mh103 at> wrote:
> up until now we stored the base64_md5 formatted hash in MD5-Password. Then somebody came along whose hash starts with ‘0X’ and it broke the SQL module because it tried (and failed, of course) to convert the base64 string into hex since it starts with 0X and the type of the MD5-Password, as defined in the dictionary, is Octet.

  Yes.  Because the MD5-Password attribute does *not* take base 64 input.

> I believe this should be documented and the rlm_pap man page should not suggest that a base64 encoded MD5 hash can be stored in the MD5-Password attribute. Or maybe this is a bug and the conversion should work just fine?

  The pap module takes the password in whatever format, and tries to fix it.  As you found out, this process isn't perfect. Largely because it *can't* be perfect.

> What is a more favorable approach now? Using just the hex presentation of the hash and leave it in MD5-Password or rather use Password-With-Header and prepend {base64_md5}? Is one preferred over the other?

  My $0.02 would be to use the hex representation of the hash.  Tho that may require more changes.

  Or, use SQL to create a Password-With-Header attribute instead of MD5-Password.  Then in "unlang", prepend {base64_md5}, before the "pap" module is called.  That leaves all of the changes in the server configuration, and not in your database.

  Alan DeKok.

More information about the Freeradius-Users mailing list