Check Password Against External DB

[Adam Bishop]

On 7 Feb 2017, at 14:37, David Teston <dteston at georgialibraries.org> wrote:
> My company runs an application that hashes/encrypts user passwords in a
> central postgres DB. I have a bash script that can be run remotely to check
> a username and password against it:
> ./script.sh <user> <plaintext_pass>

Possible to do, use rlm_exec, though using postgresql directly would be better. It's inadvisable to pass credentials as arguments in a script because any user on the system can use 'ps' and see them.

> My fear is that I will not be able to use EAP or CHAP (and their various
> sub-types) because of client-side password hashing. It seems that PAP will
> be the only usable solution because it would still provide the server with
> a plaintext password to be passed into the script. But I run into security
> issues with PAP.

You haven't said what your clients are, but assuming wired/wireless there is no security problem. If you're using EAP-TTLS/PAP the credential exchange is in a TLS tunnel, just like logging into a website. The only issue is if you don't configure the trust anchor correctly on clients.

The only common algorithm supported by supplicants is MSCHAP-v2 which is comprehensively broken.

CHAP wouldn't work with hashed passwords, but as far as I'm aware CHAP isn't supported by wireless clients anyway.

Regards,

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.