On Fri, Jun 13, 2003 at 09:15:45PM +1000, Paul Hampson wrote:
> > From: Oliver Graf
> > Sent: Friday, 13 June 2003 8:43 PM
>
> > On Fri, Jun 13, 2003 at 12:38:29PM +0200, Oliver Graf wrote:
> > > > thanks
> > > > and so If I wantto use an MD5 password it is not possible!?!
>
> > > With PAP you can use any encryption supported by freeradius. the
> > > standart crypt of glibc2 will also support md5 crypts, if the crypted
> > > password (use the Crypt-Password Attribute in your mysql db) has a
> > > certain format: $1$SEED$CRYPT (see man crypt o your glibc2 system).
>
> > mod PAP has a mutex against it, but you will have a hard time getting
> > freeradius to use it (as I said: search the list for my patches).
>
> Huh? I've got mysql+freeradius (CVS, mind you) + PAP/md5 working fine
> here.... I think... Passwords in the database are store with MD5("password"),
> and it auths OK...
>
> Is the patch you're referring to "freeradius-cvs-cryptmutex.diff"??
>
> Maybe you're solving a problem I don't have, but I'm wondering why I've
> not _got_ that problem.
Yup, if you use rlm_pap, scheme md5, you are fine.
You are not fine if you use crypt, and crypt is made by main/auth.c
rlm_pap is thread-safe.
> Quick glance at the patch, it matters only if your use Crypt-Password
> instead of Password? Bleh, over my head. I can post my config sans
> comments if it you're willing to explain why I'm not having problems.
Yep. Only if you use Crypt-Password. rlm_pap uses the Password attribute.
Perhaps it is only a documentation bug, but the the fallback crypt in
auth.c is vulnerable in any way.
I'm all open for your config. The problem is that you have many ways
to get freeradius to work. Even ways that should not work (I used
Auth-Type := 'Login' which is nonexistent, gave me no error, but
worked!) work sometimes...
So what freeradius needs is lots of clarifications, I think.
Oliver.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
