> Mircea Harapu wrote: > >>> I'm trying to make a ssh authentication with pam_radius_auth + > > freeradius + > >>> ldap > >>> The problem is that radius is sending the password to ldap in clear and > > not > >>> crypted with CRYPT as configured in ldap module . > >> Huh? pam_radius_auth sends the password to FreeRADIUS in the clear, > >> because that's what it does. FreeRADIUS sends this to LDAP because > >> LDAP doesn't understand anything else. > > > > sending passwords in clear in a network is not secure . pam_radius_auth does > > have > > md5 crypting capabilities . that's why you need to set radius key . > > PAP sends the following radius request: > > User-Name = "Someuser" > User-Password = "somepassword" > > HOWEVER, the User-Password field in a radius packet is defined by RFC to > be encrypted with the radius shared secret.
The pam_radius_auth is sending User-Password without beeing encrypted . I have set the same shared secret in /etc/raddb/server and clients.conf > > At the radius server, the password field is decrypted and processed in > plaintext inside the radius server. > > This is at least as secure as sending a plaintext password over the wire. > > > > >> And there is NO configuration in the LDAP module to send the > >> password in crypted form. I think you're mistaking the configuration > >> that *reads* the password from LDAP for something else. > > > > auto_header = yes > > that means that it checks for encryption types . > > I think Alan, as the main FreeRadius developer, is probably aware of > that feature. He is aware that it does NOT do what you claim. > > "auto_header" is responsible for detecting the {type} header when the > userPassword attribute is *read from* the LDAP server. The {type} field > is stripped, and used to put the following value into the correct radius > config attribute e.g. > > * {clear} -> User-Password > * {crypt} -> Crypt-Password > * {ssha} -> SSHA-Password > > ...and so on. > > *Then* the radius server processes a PAP request like so: > > > 1. request comes in > User-Name = foo > User-Password = encrypted_with_radius_secret(bar) > 2. authorize section is run > 2a. ldap module is run - userPassword: {crypt}baAP5K9PT1lcc > 2b. auto_header puts "Crypt-Password = baAP5K9PT1lcc" into config items > 3. authenticate is run - Auth-Type = Local > 3b. The radius server sees that Crypt-Password is set and does: > if (crypt(User-Password, 'ba')=='baAP5K9PT1lcc') > auth_ok; > > I hope that is clear. > > Your original mail stated: > > > I'm trying to make a ssh authentication with pam_radius_auth + freeradius + > > ldap > > The problem is that radius is sending the password to ldap in clear and not > > crypted with CRYPT as configured in ldap module . > > As Alan tried to explain to you, pam_auth_radius is doing nothing wrong. > What is undoubtedly happening is that you have the radius server > configured incorrectly. > > I suspect you want it to do this: > > 1. request comes in > 2. fetch password from ldap > 3. compare crypted password from LDAP with password supplied > > I suspect what it's actually doing is: > > 1. request comes in > 2. ldap searched for user - found > 3. password is checked by doing LDAP simple bind > > If you want the first, configure the radius server to do that. Hint: see > the "set_auth_type = no" option on recent versions of the server, or > have the users file read: > > DEFAULT Auth-Type := Local > > Or, be more clear about what the problem is. "It doesn't work how I > think it should" does not help, especially when you are wrong in your > assumptions. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html