This one didnt make it either:
--- Forwarded mail from [EMAIL PROTECTED]
Date: Wed, 12 Apr 2000 06:10:23 +1000
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: BOUNCE [EMAIL PROTECTED]: Non-member submission from [Joost
Stegeman <[EMAIL PROTECTED]>]
>From owner-radiator Wed Apr 12 06:10:19 2000
Received: (from uucp@localhost) by oscar.open.com.au (8.6.12/8.6.12) id
GAA26542 for [EMAIL PROTECTED]; Wed, 12 Apr 2000 06:10:19 +1000
>Received: from tulpje.pcservice.mynet (4dyn166.dh.casema.net [212.64.4.166])
by perki.connect.com.au with ESMTP id FAA05175
(8.8.8/IDA-1.7 for <[EMAIL PROTECTED]>); Wed, 12 Apr 2000 05:57:22 +1000
(EST)
Received: from tulpje.pcservice.mynet (4dyn166.dh.casema.net [212.64.4.166]) by
perki.connect.com.au with ESMTP id FAA05175
(8.8.8/IDA-1.7 for <[EMAIL PROTECTED]>); Wed, 12 Apr 2000 05:57:22 +1000
(EST)
Received: from kpn.net (tulp.pcservice.mynet [192.168.1.10])
by tulpje.pcservice.mynet (8.8.5/8.8.5) with ESMTP id VAA02949
for <[EMAIL PROTECTED]>; Tue, 11 Apr 2000 21:55:42 +0200
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 11 Apr 2000 21:55:41 +0200
From: Joost Stegeman <[EMAIL PROTECTED]>
Organization: KPN
X-Mailer: Mozilla 4.51 [en] (Win95; I)
X-Accept-Language: en,nl
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Decrypting passwords for authentication
References: <[EMAIL PROTECTED]>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
Content-Length: 1939
Hi Stephen,
"Felicetti, Stephen A." wrote:
>
> Hi there!
>
> I have a question about the way Radiater de-crypts the passwords that are
> held in my LDAP directory.
> The passwords are stored in standard unix crypt format.
> I'm using a Cisco NAS to request authentication for its dialin peers.
>
> Here's my understanding of how things work. The end user via PAP sends the
> plaintext username/password to the NAS.
> The NAS uses the radius secret to encrypt the password on the internal
> network on it's way to Radiater.
> Radiater de-crypts the user password, and compares it to the password
> retrieved from LDAP.
OK
> I'm assuming that Radiater must first de-crypt the LDAP password before the
> comparison.
> Is this correct?
No, Radiator looks at the LDAP passwod and thinks: "Gee, this is a
{crypt} password." Radiator crypts the password from the NAS and
compares the two crypted passwords.
>
> Now here is why I ask.....I need to begin using CHAP on the NAS. I
> understand that CHAP requires plaintext passwords in LDAP.
correct, CHAP does need plaintext passwords.
> If Radiater normally de-crypts the password prior to the comparison (w/
> PAP), then can't it de-crypt the LDAP password BEFORE applying the CHAP
> one-way hash? Thereby applying the hash to a plaintext password?
As explained, it can't.
You can try logging the passwords as they come by from the NAS (pre-auth
hook). You can then convert most of your LDAP passwd db to plaintext
after a while.
Many people think CHAP is safer than PAP, but if your plaintext password
db is hacked, all passwords are exposed.
- Joost.
>
> Thanks alot!!!
> Steve
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Stephen A. Felicetti Sr. Network Engineer
> mailto:[EMAIL PROTECTED] Fox Chase Cancer Center
> 215-728-2956 (v)
> 215-728-2513 (f)
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---End of forwarded mail from [EMAIL PROTECTED]
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
2000, NT, MacOS X
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
