Help with external authentication using PHP

Mark Elkins mje at posix.co.za
Fri Apr 5 18:20:54 CEST 2019 

What I used to do years back is encrypt the password in the Database - 
with a reversible key. That is - use a 'password' to both encrypt and 
decrypt the password field in the Database. This allows "clear text" 
comparison.  If Database  and calling code are on different machines - I 
believe that's safe enough.

On 2019/04/05 18:03, Ekene Ezeasor wrote:
> Thank you Alan for your reply.
>
> Changing the passwords to clear-text is not an option ofcourse and we do
> Wi-Fi. Assuming we want to start using the SQL authorization with sha512
> (with hash). How do I implement the SQL query to check for sha512 password
> using the correct hash?
>
> Thanks
>
>
> On Fri, Apr 5, 2019 at 4:29 PM Alan DeKok <aland at deployingradius.com> wrote:
>
>> On Apr 5, 2019, at 11:22 AM, Ekene Ezeasor <ezeasorekene at gmail.com> wrote:
>>> Please our users' password are encrypted using crypt() (blowfish)
>> function
>>> in PHP. Now I want to use password_verify() to check the submitted
>> password
>>> and I intend doing that in PHP. I have updated my authorize section to
>> use
>>> the external PHP script like this:
>>>
>>> update control {
>>>       Auth-type := "/usr/bin/php -f
>>> /etc/freeradius/3.0/php/checkpassword.php %{User-Name} %{User-Password}"
>>>       &Proxy-To-Realm := LOCAL
>>>     }
>>>
>>> But only the username is sent to the external PHP file. The password is
>>> empty.
>>    If you're using WiFi, the User-Password won't exist.  See the debug
>> output for more information.
>>
>>> We are already running a large database and it may not be easy to change
>> to
>>> another encryption method. Therefore this is very important and we really
>>> need to implement it.
>>    See:
>>
>> http://deployingradius.com/documents/protocols/compatibility.html
>>
>>    The clients will need to do TTLS with inner-tunnel PAP.  Everything else
>> won't work.
>>
>>    Your choices are:
>>
>> * use TTLS with inner PAP
>> * don't do WiFi
>> * change all the passwords in the database to clear-text
>>
>>    Pick one.
>>
>>    Alan DeKok
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

More information about the Freeradius-Users mailing list