Am 12.11.2011 23:00, schrieb Sven Hartge: > Sven Hartge <s...@svenhartge.de> wrote: >> Andreas Rudat <ru...@endstelle.de> wrote: >>> Am 11.11.2011 03:56, schrieb Fajar A. Nugraha: >>>> On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten <ggat...@waddell.com> wrote: >>>>> I agree with Jake, in that I *think* it would be possible to have a >>>>> plugin or whatever interface with LDAP/AD in the same manner >>>>> ntlm_auth does. I don't think one *needs* a cleartext password, >>>>> but does need some way to compare apples-to-apples. >>>> That's exactly what Alan is saying: " store your passwords in the >>>> LDAP as NT-Password or LM-Password " >>> But if that works, why then all are saying that you can just work >>> with plaintext? Its realy confusing. >> NT/LM-Password is "special". This is why it works with MSCHAPv2, both >> being a MicroSoft "invention". > To be precise: MSCHAPv2 works with the NT/LM-Password as input to the > Challenge-Handshake and not the "raw" cleartext password. This is why > this works. > > FreeRADIUS converts a cleartext password into the needed NT-Hash and > then applies this to the MSCHAPv2 handshake. Or it uses a pre-existing > NT-Hash from LDAP/MySQL/whatever. > > Quote from http://en.wikipedia.org/wiki/NTLM > ,---- > | The NTLM protocol uses one or both of two hashed password values, both > | of which are also stored on the server (or domain controller), and which > | are password equivalent, meaning that if you grab the hash value from > | the server, you can authenticate without knowing the actual password. > `---- > > This also means you have to protect those Hashes inside your database > like a raw cleartext password, as you can authenticate to any Windows > box with the knowledge of the NT/LM-Hash. > > This has been exploitet by several Windows trojan horses, which grabbed > to NT-Hash from the Administrator user to login into other boxes on the > network using the same password (or worse: the domain controller). > > Grüße, > S Ah much thanks for that clearing, so both is bad no matter which mechnism is used.
Andreas -- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -----END PGP PUBLIC KEY BLOCK----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html