Help with external authentication using PHP

[Ekene Ezeasor]

Hi Uchenna,

Thanks for your tip. Let me explain our scenario.

We have our users created and managed using our custom made PHP
application. The username pattern is user at domain.edu and the password is
encrypted using PHP's function crypt() with a blowfish hash ($2y$....). We
have SimpleSAMLphp implementation where all users authenticate using our
SAML IdP. Because SimpleSAMLphp was done in PHP, it was easy for me to
integrate password_verify() to verify passwords supplied by the user.

Now we are trying to implement eduroam. We do not intend creating different
set of users since we already have a database (MySQL). So my worry and
problem now is:-

1. - How do I authenticate users using a PHP script that will verify
supplied passwords using password_verify()

2. - In the case where the above is not obtainable in freeradius, how can I
structure my MySQL database with regards to password encryption and

3. - What is the correct SQL code to use to effectively verify user
passwords to achieve no. 2 above.

Thank you.


On Fri, 5 Apr 2019, 10:23 pm Uchenna Nebedum, <nebeduch at gmail.com> wrote:

> Hi Ekene,
> I think if you explain the entire scenario and what you're trying to
> achieve, they'll be able to help.
>
>  I currently have an external application connected to freeradius, but what
> i do is entirely different.
>
>  I authenticate users on the application separately, but i don't use the
> password they provide as the radius password, it's generated with a formula
> and SMD5-encrypted.
>
>  something like usermac + last 2 letters of first name + last 4 digits of
> phone number. Then salted and encrypted and stored in Freeradius.
>
> Uchenna Nebedum
>
> On Fri, Apr 5, 2019, 16:23 Ekene Ezeasor <ezeasorekene at gmail.com> wrote:
>
> > Hi all,
> >
> > Please our users' password are encrypted using crypt() (blowfish)
> function
> > in PHP. Now I want to use password_verify() to check the submitted
> password
> > and I intend doing that in PHP. I have updated my authorize section to
> use
> > the external PHP script like this:
> >
> > update control {
> >       Auth-type := "/usr/bin/php -f
> > /etc/freeradius/3.0/php/checkpassword.php %{User-Name} %{User-Password}"
> >       &Proxy-To-Realm := LOCAL
> >     }
> >
> > But only the username is sent to the external PHP file. The password is
> > empty.
> >
> > We are already running a large database and it may not be easy to change
> to
> > another encryption method. Therefore this is very important and we really
> > need to implement it.
> >
> > Please can someone help. Thanks. Regards
> >
> >
> >
> > ___________________________
> > Ekene Ezeasor
> > IT Consultant,
> > Codee Solutions
> > *Phone*: 08063961963
> > *Web*: www.codeeltd.com
> > ------------------------------
> >
> > *DISCLAIMER NOTICE:*
> > *This e-mail, any attachments thereto and response string is intended
> > solely for the attention and use of the addressee(s) named herein and may
> > contain legally privileged and/or confidential information. In the event
> > that you are not the intended recipient(s) of this e-mail and any
> > attachments thereto, be notified that any dissemination, distribution or
> > copying of this e-mail and any attachments thereto, is strictly
> prohibited.
> > If you have received or otherwise encountered this e-mail in error,
> please
> > immediately notify the sender and permanently delete the e-mail, any
> > attachments and response string as well as any copy printout in
> connection
> > therewith.*
> > ------------------------------
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html