Adding additional password encryption options

Laurens Vets laurens at daemon.be
Sun Sep 4 01:43:15 CEST 2016


Hi list,

>> Is it possible to add additional password encryption options to 
>> FreeRADIUS so that the user database can be used as a user/password 
>> store (For instance PBKDF2 or scrypt)?
>> 
> 
> Yeah, some guy submitted code to do that, but it was awful.
> 
>> When I look at "man rlm_pap", the amount of encryption options for 
>> passwords are limited when FreeRADIUS is your only user database. I'm 
>> creating a POC where users can register for an account to use certain 
>> services (accessible via radius authentication) and I'm trying to only 
>> use the FreeRADIUS mysql database as a backend to keep it simple, but 
>> the password encryption methods aren't considered secure by today's 
>> standards.
> 
> What, salted SHA512 isn't considered secure by todays standards?
> 
> If you don't mind providing some test output PBKDF2 i'll see if I can
> fix the code I have to not be terrible...

I'm using Python Passlib to generate the below output 
(https://pypi.python.org/pypi/passlib). The author of Passlib recommends 
to use bcrypt, sha512_crypt or pbkdf2_sha512 in applications these days.

On Ubuntu: sudo apt-get python-passlib python3-passlib

>>> from passlib.hash import bcrypt
>>> bcrypt.encrypt('password123')
'$2a$12$G1gi54hD.9y4ws4Bcg94n.kGKM/R8CEtqVNGczNAzzwc6gN9NhAjC'
>>> bcrypt.encrypt('password123', salt='G1gi54hD.9y4ws4Bcg94n.', 
>>> rounds=12)
'$2a$12$G1gi54hD.9y4ws4Bcg94n.kGKM/R8CEtqVNGczNAzzwc6gN9NhAjC'

>>> from passlib.hash import pbkdf2_sha512
>>> pbkdf2_sha512.encrypt('password123')
'$pbkdf2-sha512$25000$X.tdS.l9j9Ham/Meg7C2lg$YPo7a7kJQyqDHzDnkfS/0mWZibLOIOcTPCZtuK454VQtDRw0Q3mBkUWqRy1av5N/bpU.ohuN2ucMyl3ZJuAsSw'
>>> 

Next version of Passlib (1.7) will have scrypt as well.

What's the digest for PBKDF2 used in the code you received?

Kind regards,
Laurens


More information about the Freeradius-Users mailing list