Please do not take my e-mails personally... I must say that I thought you might be one of those show offs who pick through peoples e-mails looking for mistakes and then completely mis the point of the e-mail. My appologies if I am mistaken.
i actually almost never reply :-) one thing, if i was a show-off, wouldn't it be much more comfortable for me to take 5 min in order to take a look at the specs and show off even more instead of making assumptions based only on what has been said before? just type "nt-hash" in google :-)
I just think you might have misread the post you reacted to.
perhaps! i will immediately admit that.
It is possible to use PEAP / MSCHAPv2
with LDAP, however one must store the NT-Hash password in LDAP. I've had the
same problem with crypts as my password encryption in LDAP. I ended having to
create an extra LDAP attribute for NT-Hash passwords.
this is the part which i understand as misleading. since the author talks about crypt, one could suppose that this is the general approach. i.e. if the protocol uses crypt, you should store the crypt-password in the DB, etc.
you see, when you try to explain the basic problem, you have to insist on the fact that the database and the client must hash the same data, be this data X or hash(X) or DES(X) - it doesn't change anything. this data must be available on both ends, point.
perhaps my reaction was due to somebody who's recently proposed to me the following "trick" to make PEAP work with backend Unix' system authentication: with the same argument of double hashing, the idea was to type the string stored in the shadow file at the PEAP prompt...
now after the discussion with you i see that applied to ms-chap the post seems to be correct. that's the reason why i've written "i think that this is wrong" and not "this is wrong" in my original post.
ciao artur
--
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
