Adding additional password encryption options

[Alan DeKok]

On May 25, 2016, at 12:39 PM, Laurens Vets <laurens at daemon.be> wrote:
> Is it possible to add additional password encryption options to FreeRADIUS so that the user database can be used as a user/password store (For instance PBKDF2 or scrypt)?

  Update the code in rlm_pap.

  Why?  Because it's critical to get authentication correct.  And the best way to do that is to implement it ourselves.

> When I look at "man rlm_pap", the amount of encryption options for passwords are limited when FreeRADIUS is your only user database. I'm creating a POC where users can register for an account to use certain services (accessible via radius authentication) and I'm trying to only use the FreeRADIUS mysql database as a backend to keep it simple, but the password encryption methods aren't considered secure by today's standards.

  As Arran noted, yes... modern and secure options are available.

  We allow old methods because people have old systems.

> Short of maintaining 2 databases with user information, how are people on the list handling these cases or is my use case a bit out of the ordinary?

  Your situation is a bit out of the ordinary.  99% of sites have users in their AD (and NT hashed passwords), or in an SQL or LDAP database, which use industry standard password hashes.

  Newer password hash methods are just not that widely used.

  But if you contribute patches to update rlm_pap, I would be happy to integrate them.

  Alan DeKok.