Salted SHA512

Arran Cudbard-Bell a.cudbardb at
Tue Sep 6 08:21:36 CEST 2016

> On 6 Sep 2016, at 02:57, Nathan Ward <lists+freeradius at> wrote:
>> On 6/09/2016, at 11:54, Laurens Vets <laurens at> wrote:
>> On 2016-09-05 06:03, Alan DeKok wrote:
>>> On Sep 4, 2016, at 7:36 PM, Laurens Vets <laurens at> wrote:
>>>> Hmm, not sure where to look. It seems both OpenVPN and StrongSwan send EAP requests to FreeRADIUS, but from when I can see, EAP only supports MD5 and Crypt?
>>> EAP just carries authentication data. There are multiple kinds of
>>> authentication types within EAP.
>>>> Does that mean I should change it to PAP instead of EAP?
>>> You won't be able to.
>>>> The goal is to have OpenVPN and StrongSwan authenticate users with FreeRADIUS and have their password encrypted in the radius database.
>>> It may be possible.  It might not be possible.
>> It seems changing "default_eap_type = md5" to "default_eap_type = gtc" in "/etc/freeradius/mods-enabled/eap" works. I'm now using attribute "SSHA-Password" with a hash generated with the perl script "" from "FreeRADIUS Beginner's Guide". This works.
>> I'm now trying to convert this to "SSHA2-512-Password", but I cannot seem to generate the correct password hash... I've tried to use "mkpasswd" from the whois tools, passlib Python libary, hashlib Python library, ...
>> This brings me back to my initial question, does anyone here have a tool that generates the correct "SSHA2-512-Password" (Salted SHA512) for FreeRadius so I can double-check what I might be doing wrong?
> Hi
> (1) pap: ERROR: "known-good" SSHA2-512-Password has incorrect length, got 64 bytes, need at least 65 bytes
> Your DB comes back with:
> (1) sql:   SSHA2-512-Password := 0x61363138336661396262643730366336373331616366343165393231386339616239343836376234623333376533643666616432393032376135363661353765393134666334633832613763356665376662376231393435663539633863333731353164656230663765663563643361616235
> This is 115 bytes, which seems odd as this should be hex. What is your salt?
> I note that your two different values for SSHA2-512-Password are treated differently by FreeRADIUS despite being the same length string in the debug output:
> (1) pap: Normalizing SSHA2-512-Password from hex encoding, 128 bytes -> 64 bytes
> (1) pap: Normalizing SSHA2-512-Password from hex encoding, 192 bytes -> 96 bytes
> Not sure why this happens - I don’t see 128 or 192 bytes anywhere. It’s not clear to me why the 115 bytes above are treated as 128 or 192 bytes. The hex checking looks for an even length string.
> Unless.. is this being trimmed in the debug output?

Yeah long lines were truncated in 3.0.x, not so in v3.1.x or v4.0.x.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list