OK, I've made tons of progress. Now I'm trying to run ntlm_auth from
my own wrapper script, as suggested here. And I'm hitting a wall:
The FreeRADIUS ntlm_auth module runs ntlm_auth with a parameter I can't
find anywhere in the environment of my exec script.
I get these environment variables from FreeRADIUS:
MS_CHAP_CHALLENGE: 0xb52c467546e41669ec940cf35cf03a6e
MS_CHAP2_RESPONSE:
0x00009e69fe67f2cfe7802acd7616ccd1d61c000000000000000079811ac8f56363d0999964aaff1d955eca65f1ef6b567616
And I'm passing them to ntlm_auth like this:
/usr/bin/ntlm_auth --request-nt-key --username=doctor1
--challenge=b52c467546e41669ec940cf35cf03a6e
--nt-response=00009e69fe67f2cfe7802acd7616ccd1d61c000000000000000079811ac8f56363d0999964aaff1d955eca65f1ef6b567616
But this doesn't work. So I put a wrapper around ntlm_auth and let
FreeRADIUS also run it normally via the ntlm_auth module, to see what that
looks like. And for the same request you see above, ntlm_auth was
called by FreeRADIUS like this:
/usr/bin/ntlm_auth --request-nt-key --username=doctor1
--challenge=d201c3cd5d8e7796
--nt-response=79811ac8f56363d0999964aaff1d955eca65f1ef6b567616
Uh-oh, where did this stuff come from? I can see where the --nt-response
value is coming from: it's the second half of MS_CHAP2_RESPONSE. Okay.
But what about the --challenge? That doesn't look like any part of
MS_CHAP_CHALLENGE.
Can I really feed ntlm_auth myself based on the exec environment
variables? Do I need to perform some sort of hash magic? Help! Thanks.
--
Thomas Boutell
Boutell.Com, Inc.
http://www.boutell.com/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
