On 15 August 2012, at 14:23, Fajar A. Nugraha wrote: > On Thu, Aug 16, 2012 at 3:40 AM, Robert Haskins > <robert.hask...@gmail.com> wrote: >> I get a reject, even though the >> crypt'd passwords match! > > That's not how crypt works. You don't compare the crypted password. > > >> [pap] login attempt with password "krt444" > > that is what the user sends > >> [pap] Using CRYPT password "*3u.3LS/VKTOVc" > > that is what FR reads from whatever backend which stores user > information (in your case, should be the unix module) > >> The crypt'd password ("*3u.3LS/VKTOVc") is exactly what is in the >> /etc/shadow file. > > because that's where FR reads it from, of course it's the same. > >> So I am confident the shared secret is correct. > > Shared secret has nothing to do with your problem. > >> What am I doing wrong? > > Simple. Is "krt444" the correct password? FR says it's not. >
I don't know for sure about your system, but most Unix based systems will not generate a * in the encrypted password. Normally that is used to indicate a locked or disabled account. From the FreeBSD man pages: A password of `*' indicates that password authentication is disabled for that account (logins through other forms of authentication, e.g., using ssh(1) keys, will still work). The field only contains encrypted pass- words, and `*' can never be the result of encrypting a password. You might want to try reentering that password or check your man pages. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html