Sven Hartge <s...@svenhartge.de> wrote: > Andreas Rudat <ru...@endstelle.de> wrote: >> Am 11.11.2011 03:56, schrieb Fajar A. Nugraha: >>> On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten <ggat...@waddell.com> wrote:
>>>> I agree with Jake, in that I *think* it would be possible to have a >>>> plugin or whatever interface with LDAP/AD in the same manner >>>> ntlm_auth does. I don't think one *needs* a cleartext password, >>>> but does need some way to compare apples-to-apples. >>> That's exactly what Alan is saying: " store your passwords in the >>> LDAP as NT-Password or LM-Password " >> But if that works, why then all are saying that you can just work >> with plaintext? Its realy confusing. > NT/LM-Password is "special". This is why it works with MSCHAPv2, both > being a MicroSoft "invention". To be precise: MSCHAPv2 works with the NT/LM-Password as input to the Challenge-Handshake and not the "raw" cleartext password. This is why this works. FreeRADIUS converts a cleartext password into the needed NT-Hash and then applies this to the MSCHAPv2 handshake. Or it uses a pre-existing NT-Hash from LDAP/MySQL/whatever. Quote from http://en.wikipedia.org/wiki/NTLM ,---- | The NTLM protocol uses one or both of two hashed password values, both | of which are also stored on the server (or domain controller), and which | are password equivalent, meaning that if you grab the hash value from | the server, you can authenticate without knowing the actual password. `---- This also means you have to protect those Hashes inside your database like a raw cleartext password, as you can authenticate to any Windows box with the knowledge of the NT/LM-Hash. This has been exploitet by several Windows trojan horses, which grabbed to NT-Hash from the Administrator user to login into other boxes on the network using the same password (or worse: the domain controller). Grüße, S° -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html