Authenticate against FreeIPA PBKDF2_SHA256
Alan DeKok
aland at deployingradius.com
Wed Apr 7 14:43:14 CEST 2021
On Apr 7, 2021, at 8:27 AM, Marc Sauer <m.sauer at khm.de> wrote:
> I would like to authenticate against our FreeIPA servers. The problem is that our passwords are stored in the following format:
>
> PBKDF2_SHA256
That's not supported. v3 supports PBKDF2 with various HMACs. See src/modules/rlm_pap/rlm_pap.c
> FreeRADIUS did not support this at all until version 3.0.22 [1]. The functionality has been merged into the v3.0.x branch in September 2020.
>
> Unfortonately it still does not work in 3.0.22 with FreeIPA passwords.
>
> The example-password I'm trying to authenticate against has the following content:
>
> {PBKDF2_SHA256}AAAIAEwR4+g...
That isn't supported. It's probably not hard to add, but... there's a ton of variants.
> When I try to authenticate against it, it shows the following error when running freeradius -X:
>
> (1) pap: Unknown header {PBKDF2_SHA256} in Password-With-Header, re-writing to Cleartext-Password
That seems pretty clear: "Unknown header".
> What I don't understand is, that FreeRADIUS says "Unknown header", although the PBKDF2_SHA256 support seems to be implemented.
What makes you say that?
PBKDF2 is a whole family of password formats. Which means that each one has to be supported explicitly.
> Is there anything wrong with my configration or is there still something wrong with the implementation of those kinds of hashes in FreeRADIUS?
The error message is clear: "Unknown header". It does NOT say "found known header, and then the password didn't match".
> If I'd know C, I would love to help implementing the support.
We'll take a look, but we can't promise any particular time frame.
Alan DeKok.
More information about the Freeradius-Users
mailing list