Help with external authentication using PHP

Uchenna Nebedum nebeduch at gmail.com
Sat Apr 6 21:04:45 CEST 2019


Hi Ekene,
Here are a few Ideas,

use the encrypted passwords from the custom application as PLAINTEXT
passwords in freeRADIUS, replicate the users you have in your APP DB as
valid users in freeRADIUS DB. then before submitting passwords to
freeRADIUS do the crypt() function on the provided password and submit that
to freeRADIUS. depending on the authentication process.

you could also create like an authentication API on your custom application
and use either the python or perl module to reach the API and compare the
provided password with what is in the DB. and return an Access-Accept based
on the response code. the perl/python script would be in the auth{} portion.

the third idea is not fully formed. I thought i had more.





On Sat, Apr 6, 2019 at 7:29 PM Ekene Ezeasor <ezeasorekene at gmail.com> wrote:

> Hi Uchenna,
>
> Thanks for your tip. Let me explain our scenario.
>
> We have our users created and managed using our custom made PHP
> application. The username pattern is user at domain.edu and the password is
> encrypted using PHP's function crypt() with a blowfish hash ($2y$....). We
> have SimpleSAMLphp implementation where all users authenticate using our
> SAML IdP. Because SimpleSAMLphp was done in PHP, it was easy for me to
> integrate password_verify() to verify passwords supplied by the user.
>
> Now we are trying to implement eduroam. We do not intend creating different
> set of users since we already have a database (MySQL). So my worry and
> problem now is:-
>
> 1. - How do I authenticate users using a PHP script that will verify
> supplied passwords using password_verify()
>
> 2. - In the case where the above is not obtainable in freeradius, how can I
> structure my MySQL database with regards to password encryption and
>
> 3. - What is the correct SQL code to use to effectively verify user
> passwords to achieve no. 2 above.
>
> Thank you.
>
>
> On Fri, 5 Apr 2019, 10:23 pm Uchenna Nebedum, <nebeduch at gmail.com> wrote:
>
> > Hi Ekene,
> > I think if you explain the entire scenario and what you're trying to
> > achieve, they'll be able to help.
> >
> >  I currently have an external application connected to freeradius, but
> what
> > i do is entirely different.
> >
> >  I authenticate users on the application separately, but i don't use the
> > password they provide as the radius password, it's generated with a
> formula
> > and SMD5-encrypted.
> >
> >  something like usermac + last 2 letters of first name + last 4 digits of
> > phone number. Then salted and encrypted and stored in Freeradius.
> >
> > Uchenna Nebedum
> >
> > On Fri, Apr 5, 2019, 16:23 Ekene Ezeasor <ezeasorekene at gmail.com> wrote:
> >
> > > Hi all,
> > >
> > > Please our users' password are encrypted using crypt() (blowfish)
> > function
> > > in PHP. Now I want to use password_verify() to check the submitted
> > password
> > > and I intend doing that in PHP. I have updated my authorize section to
> > use
> > > the external PHP script like this:
> > >
> > > update control {
> > >       Auth-type := "/usr/bin/php -f
> > > /etc/freeradius/3.0/php/checkpassword.php %{User-Name}
> %{User-Password}"
> > >       &Proxy-To-Realm := LOCAL
> > >     }
> > >
> > > But only the username is sent to the external PHP file. The password is
> > > empty.
> > >
> > > We are already running a large database and it may not be easy to
> change
> > to
> > > another encryption method. Therefore this is very important and we
> really
> > > need to implement it.
> > >
> > > Please can someone help. Thanks. Regards
> > >
> > >
> > >
> > > ___________________________
> > > Ekene Ezeasor
> > > IT Consultant,
> > > Codee Solutions
> > > *Phone*: 08063961963
> > > *Web*: www.codeeltd.com
> > > ------------------------------
> > >
> > > *DISCLAIMER NOTICE:*
> > > *This e-mail, any attachments thereto and response string is intended
> > > solely for the attention and use of the addressee(s) named herein and
> may
> > > contain legally privileged and/or confidential information. In the
> event
> > > that you are not the intended recipient(s) of this e-mail and any
> > > attachments thereto, be notified that any dissemination, distribution
> or
> > > copying of this e-mail and any attachments thereto, is strictly
> > prohibited.
> > > If you have received or otherwise encountered this e-mail in error,
> > please
> > > immediately notify the sender and permanently delete the e-mail, any
> > > attachments and response string as well as any copy printout in
> > connection
> > > therewith.*
> > > ------------------------------
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 
Nebedum Uchenna


More information about the Freeradius-Users mailing list