Adding additional password encryption options
Laurens Vets
laurens at daemon.be
Sun Sep 4 01:43:15 CEST 2016
Hi list,
>> Is it possible to add additional password encryption options to
>> FreeRADIUS so that the user database can be used as a user/password
>> store (For instance PBKDF2 or scrypt)?
>>
>
> Yeah, some guy submitted code to do that, but it was awful.
>
>> When I look at "man rlm_pap", the amount of encryption options for
>> passwords are limited when FreeRADIUS is your only user database. I'm
>> creating a POC where users can register for an account to use certain
>> services (accessible via radius authentication) and I'm trying to only
>> use the FreeRADIUS mysql database as a backend to keep it simple, but
>> the password encryption methods aren't considered secure by today's
>> standards.
>
> What, salted SHA512 isn't considered secure by todays standards?
>
> If you don't mind providing some test output PBKDF2 i'll see if I can
> fix the code I have to not be terrible...
I'm using Python Passlib to generate the below output
(https://pypi.python.org/pypi/passlib). The author of Passlib recommends
to use bcrypt, sha512_crypt or pbkdf2_sha512 in applications these days.
On Ubuntu: sudo apt-get python-passlib python3-passlib
>>> from passlib.hash import bcrypt
>>> bcrypt.encrypt('password123')
'$2a$12$G1gi54hD.9y4ws4Bcg94n.kGKM/R8CEtqVNGczNAzzwc6gN9NhAjC'
>>> bcrypt.encrypt('password123', salt='G1gi54hD.9y4ws4Bcg94n.',
>>> rounds=12)
'$2a$12$G1gi54hD.9y4ws4Bcg94n.kGKM/R8CEtqVNGczNAzzwc6gN9NhAjC'
>>> from passlib.hash import pbkdf2_sha512
>>> pbkdf2_sha512.encrypt('password123')
'$pbkdf2-sha512$25000$X.tdS.l9j9Ham/Meg7C2lg$YPo7a7kJQyqDHzDnkfS/0mWZibLOIOcTPCZtuK454VQtDRw0Q3mBkUWqRy1av5N/bpU.ohuN2ucMyl3ZJuAsSw'
>>>
Next version of Passlib (1.7) will have scrypt as well.
What's the digest for PBKDF2 used in the code you received?
Kind regards,
Laurens
More information about the Freeradius-Users
mailing list