Check Password Against External DB

David Teston dteston at
Tue Feb 7 15:37:10 CET 2017

Hi All,

My company runs an application that hashes/encrypts user passwords in a
central postgres DB. I have a bash script that can be run remotely to check
a username and password against it:
./ <user> <plaintext_pass>

The end goal is to store the username and encrypted password on the
local FR postgres DB, but always/only check the password against the
central DB. This will account for any password/permissions changes that
occur on the application DB.

My fear is that I will not be able to use EAP or CHAP (and their various
sub-types) because of client-side password hashing. It seems that PAP will
be the only usable solution because it would still provide the server with
a plaintext password to be passed into the script. But I run into security
issues with PAP.

Does anyone know of a proper method that would allow me to check all user
credentials against the external DB while still remaining secure throughout
the entire process?

Thanks in advance,

David Teston
PINES System Administrator

More information about the Freeradius-Users mailing list