Hi, noone an idea on the issue below? Is my requirement to have PAP credentials verified against NT-Hashes in mySQL so unusual? I would have thought this was a common thing to do...
Am Donnerstag, 26. April 2007 08:51:56 schrieb Stefan Winter: > Hi, > > I try to get rid of cleartext passwords stored in a MySQL db, and replace > them by NT hashes. I set up a test environment and first tried with an > entry in users: > > swinter NT-Password := "...", Auth-Type := Accept > > which worked okay. > > Storing the same password in MySQL did NOT work, with a quite spurious > error, see below: > > Nothing to do. Sleeping until we see a request. > rad_recv: Access-Request packet from host 127.0.0.1:52635, id=148, > length=59 User-Name = "swinter" > User-Password = "test" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1234 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 1 > modcall[authorize]: module "preprocess" returns ok for request 1 > modcall[authorize]: module "chap" returns noop for request 1 > modcall[authorize]: module "mschap" returns noop for request 1 > rlm_realm: No '@' in User-Name = "swinter", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 1 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 1 > modcall[authorize]: module "files" returns notfound for request 1 > radius_xlat: 'swinter' > rlm_sql (sql): sql_set_user escaped user --> 'swinter' > radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM > radcheck WHERE Username = 'swinter' ORDER BY id' > rlm_sql (sql): Reserving sql socket id: 3 > radius_xlat: 'SELECT > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch >eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE > usergroup.Username = 'swinter' AND usergroup.GroupName = > radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT > id, UserName, Attribute, Value, op FROM radreply WHERE > Username = 'swinter' ORDER BY id' radius_xlat: 'SELECT > radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre >ply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE > usergroup.Username = 'swinter' AND usergroup.GroupName = > radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released > sql socket id: 3 > modcall[authorize]: module "sql" returns ok for request 1 > rlm_pap: Normalizing NT-Password from hex encoding > modcall[authorize]: module "pap" returns updated for request 1 > modcall: leaving group authorize (returns updated) for request 1 > rad_check_password: Found Auth-Type pap > auth: type "PAP" > Processing the authenticate section of radiusd.conf > modcall: entering group PAP for request 1 > rlm_pap: login attempt with password test > rlm_pap: Using NT encryption. > radius_xlat: Running registered xlat function of module mschap for > string 'NT-Hash test' > rlm_mschap: Unknown expansion string "NT-Hash test" > radius_xlat: '' > rlm_pap: mschap xlat failed > rlm_pap: Passwords don't match > modcall[authenticate]: module "pap" returns reject for request 1 > modcall: leaving group PAP (returns reject) for request 1 > auth: Failed to validate the user. > Delaying request 1 for 1 seconds > Finished request 1 > > Especially the lines > > radius_xlat: Running registered xlat function of module mschap for > string 'NT-Hash test' > rlm_mschap: Unknown expansion string "NT-Hash test" > radius_xlat: '' > rlm_pap: mschap xlat failed > > appear suspicious ("test" is the password"). Maybe there's some xlat > escaping wrong? > The configuration in use is almost as shipped, only added sql config. > > Greetings, > > Stefan Winter Content of mySQL is: > +----+----------+-------------+----------------------------------+----+ > | id | UserName | Attribute | Value | op | > +----+----------+-------------+----------------------------------+----+ > | 1 | swinter | NT-Password | 0CB6948805F797BF2A82807973B89537 | := | > +----+----------+-------------+----------------------------------+----+ and no radgroupchecks. Sidenote: I looked into the code of rlm_pap and its call to xlat of rlm_mschap. I really couldn't figure out what is supposed to happen in that call, the xlat string "NT-Hash <password>" has no mention at all in rlm_mschaps xlat. Maybe some old code section that got lost somewhen? Greetings, Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
pgpEqLh7v7h0p.pgp
Description: PGP signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html