Hi. The problem is not storing the passwords in the clear as the RADIUS server is actually a Windows 2008 R2 NPS server, it is however that PAP sends ASCII charecters unencrypted over the wire as opposed to other EAP solutions or even CHAP. So as the password with PAP may or may not be encrypted on the wire it most certainly is with CHAP. The NTLM hashes have no influence here as the only task of login_radius is to send the username and password to a RADIUS server and wait for it's Granted/Denied response. But the method i uses to send and recieve that information could be cruical. So the real question is does login_radius hash or encrypt the password it sends and is there an option to use CHAP or did someone think that PAP is good enough? Like I said this is not really a show-stopper but I am baffled somewhat by the fact that OpenBSD is touted to be security centric to the point of code audits and yet it supports only PAP.
Aleš Golob > -----Original Message----- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On > Behalf Of Stephen Spencer > Sent: Thursday, December 13, 2012 3:32 PM > To: misc@openbsd.org > Subject: Re: login_radius support for encrypted authentication type? > > I haven't worked with OpenBSD in this context, but I've setup 802.1X auth > for layer-2 wireless. It's LDAP backed. We happen to also run a samba3 > domain, so LDAP also stores NTLM hashes. I'm not a radius expert, but the > only mechanism that seems to be able to deal with non clear passwords > seem to have to deal with NTLM hashes. If there isn't a way to pass the > auth request through some kind of layer that will give you a pass/fail > response, I'm pretty sure you're stuck with having to store your radius > passwords in the clear. > > -Stephen