Re: freeradius 0.8.1 + mysql + password md5
> > So the question is: where would he like to use MD5? to encrypt the > password on the AAA server or does the nokia nas talk some strange > protocol which uses MD5 encryption (I bet it's the first one)? I try to use freeradius with Ldap.I store the user password in Ldap using a md5 password.All work fine.The server radius takes the md5 password from ldap and the user can authenticate and accounting.I have ldap in authorize and authenticate section. After I try to use freeradius with mysql.With clear password all work fine,but with an md5 password stored in mysql the user cannot authenticate. I put sql in autorize and Auth-type=local as default in user file. I hope that now is more clear my problem. Thanks Roberto --- This mail sent through CSP Webmail System - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 0.8.1 + mysql + password md5
On Fri, Jun 13, 2003 at 04:27:05PM +0200, Michael Davidson wrote: > > thanks but the problem is that I'm using the nokia p022 access controller > > that don't use Pap but normal radius. > > So in authorize I use sql but in authtntication I use local. > > What can I use for md5? > Hi, I think we are all going in different directions with this one. > > "that don't use Pap but normal radius." > > What do you mean by "normal radius" ? what are you expecting? Yep, you are right... Mr. Pioli seems not to know where to put which protocol. PAP and CHAP are authetication schemes of PPP, which is done between CPE (the 'modem') and NAS (the nokia in this case). PAP transfers a username and a password clear text over the PPP connection, CHAP transfers a station name and a encrypted string over the PPP connection. RADIUS is a protocol in which the NAS (nokia) talks to the AAA server (freeradius). The AAA server has to have some data about the user (username and password). Normally the password is encrypted (except with CHAP, cause chap needs a clear text password) in local storage. This can be done with many different methods. So the question is: where would he like to use MD5? to encrypt the password on the AAA server or does the nokia nas talk some strange protocol which uses MD5 encryption (I bet it's the first one)? Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 0.8.1 + mysql + password md5
Hi, I think we are all going in different directions with this one. "that don't use Pap but normal radius." What do you mean by "normal radius" ? what are you expecting? What function does the Nokia box perform for you. What type of authentication will it be doing? Regards Mike D. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roberto Pioli Sent: 13 June 2003 01:48 To: [EMAIL PROTECTED] Subject: Re: freeradius 0.8.1 + mysql + password md5 > The PAP method requires nothing. PAP states that a clear text password > is sent over the line. How it is compared against a stored password is > in your hands. > > It's the standart problem: will the hacker hijack your phone lines an > sniff clear text PAP passwords, or will he hack your servers and see > those clear text passwords required for CHAP in your database? thanks but the problem is that I'm using the nokia p022 access controller that don't use Pap but normal radius. So in authorize I use sql but in authtntication I use local. What can I use for md5? Thanks Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 0.8.1 + mysql + password md5
> The PAP method requires nothing. PAP states that a clear text password > is sent over the line. How it is compared against a stored password is > in your hands. > > It's the standart problem: will the hacker hijack your phone lines an > sniff clear text PAP passwords, or will he hack your servers and see > those clear text passwords required for CHAP in your database? thanks but the problem is that I'm using the nokia p022 access controller that don't use Pap but normal radius. So in authorize I use sql but in authtntication I use local. What can I use for md5? Thanks Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 0.8.1 + mysql + password md5
On Fri, Jun 13, 2003 at 09:15:45PM +1000, Paul Hampson wrote:
> > From: Oliver Graf
> > Sent: Friday, 13 June 2003 8:43 PM
>
> > On Fri, Jun 13, 2003 at 12:38:29PM +0200, Oliver Graf wrote:
> > > > thanks
> > > > and so If I wantto use an MD5 password it is not possible!?!
>
> > > With PAP you can use any encryption supported by freeradius. the
> > > standart crypt of glibc2 will also support md5 crypts, if the crypted
> > > password (use the Crypt-Password Attribute in your mysql db) has a
> > > certain format: $1$SEED$CRYPT (see man crypt o your glibc2 system).
>
> > mod PAP has a mutex against it, but you will have a hard time getting
> > freeradius to use it (as I said: search the list for my patches).
>
> Huh? I've got mysql+freeradius (CVS, mind you) + PAP/md5 working fine
> here I think... Passwords in the database are store with MD5("password"),
> and it auths OK...
>
> Is the patch you're referring to "freeradius-cvs-cryptmutex.diff"??
>
> Maybe you're solving a problem I don't have, but I'm wondering why I've
> not _got_ that problem.
Yup, if you use rlm_pap, scheme md5, you are fine.
You are not fine if you use crypt, and crypt is made by main/auth.c
rlm_pap is thread-safe.
> Quick glance at the patch, it matters only if your use Crypt-Password
> instead of Password? Bleh, over my head. I can post my config sans
> comments if it you're willing to explain why I'm not having problems.
Yep. Only if you use Crypt-Password. rlm_pap uses the Password attribute.
Perhaps it is only a documentation bug, but the the fallback crypt in
auth.c is vulnerable in any way.
I'm all open for your config. The problem is that you have many ways
to get freeradius to work. Even ways that should not work (I used
Auth-Type := 'Login' which is nonexistent, gave me no error, but
worked!) work sometimes...
So what freeradius needs is lots of clarifications, I think.
Oliver.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 0.8.1 + mysql + password md5
> From: Oliver Graf
> Sent: Friday, 13 June 2003 8:43 PM
> On Fri, Jun 13, 2003 at 12:38:29PM +0200, Oliver Graf wrote:
> > > thanks
> > > and so If I wantto use an MD5 password it is not possible!?!
> > With PAP you can use any encryption supported by freeradius. the
> > standart crypt of glibc2 will also support md5 crypts, if the crypted
> > password (use the Crypt-Password Attribute in your mysql db) has a
> > certain format: $1$SEED$CRYPT (see man crypt o your glibc2 system).
> mod PAP has a mutex against it, but you will have a hard time getting
> freeradius to use it (as I said: search the list for my patches).
Huh? I've got mysql+freeradius (CVS, mind you) + PAP/md5 working fine
here I think... Passwords in the database are store with MD5("password"),
and it auths OK...
Is the patch you're referring to "freeradius-cvs-cryptmutex.diff"??
Maybe you're solving a problem I don't have, but I'm wondering why I've
not _got_ that problem.
Quick glance at the patch, it matters only if your use Crypt-Password
instead of Password? Bleh, over my head. I can post my config sans
comments if it you're willing to explain why I'm not having problems.
--
=
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]
The Creation of the Universe was made
possible by a grant from Texas Instruments.
-- PBS
-
Random signature generator 3.0 by Paul "TBBle" Hampson
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 0.8.1 + mysql + password md5
On Fri, Jun 13, 2003 at 12:38:29PM +0200, Oliver Graf wrote: > > thanks > > and so If I wantto use an MD5 password it is not possible!?! > > If you use CHAP, you need clear text passwords. > > With PAP you can use any encryption supported by freeradius. the > standart crypt of glibc2 will also support md5 crypts, if the crypted > password (use the Crypt-Password Attribute in your mysql db) has a > certain format: $1$SEED$CRYPT (see man crypt o your glibc2 system). Just another note: if you don't use the pap module, please note that using the internal crypt of freeradius is not thread-safe. It will start failing all crypted auths after some hours (if crypt is used by multiple threads at the same time). mod PAP has a mutex against it, but you will have a hard time getting freeradius to use it (as I said: search the list for my patches). Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 0.8.1 + mysql + password md5
On Fri, Jun 13, 2003 at 11:55:26AM +0200, Roberto Pioli wrote: > > Hi Robert, > > It is the authentication method that the client-nas have decided on that > > determines what format the password needs to be in. The CHAP method > requires > > clear text passwords. The MS-CHAP method requires a NT-PASSWORD or > > LM-PASSWORD format. The PAP method requires... and so on. The PAP method requires nothing. PAP states that a clear text password is sent over the line. How it is compared against a stored password is in your hands. It's the standart problem: will the hacker hijack your phone lines an sniff clear text PAP passwords, or will he hack your servers and see those clear text passwords required for CHAP in your database? > thanks > and so If I wantto use an MD5 password it is not possible!?! If you use CHAP, you need clear text passwords. With PAP you can use any encryption supported by freeradius. the standart crypt of glibc2 will also support md5 crypts, if the crypted password (use the Crypt-Password Attribute in your mysql db) has a certain format: $1$SEED$CRYPT (see man crypt o your glibc2 system). If you don't have glibc2 you have to use the pap module of freeradius. This is a bit tricky, cause freeradius will do an string compare of passwords if it finds a Password attribute, and so rlm_pap gets not called. I send a patch for this to the list two days ago. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 0.8.1 + mysql + password md5
> Hi Robert, > It is the authentication method that the client-nas have decided on that > determines what format the password needs to be in. The CHAP method requires > clear text passwords. The MS-CHAP method requires a NT-PASSWORD or > LM-PASSWORD format. The PAP method requires... and so on. thanks and so If I wantto use an MD5 password it is not possible!?! Rob > > Regards Mike D. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 0.8.1 + mysql + password md5
Hi Robert, It is the authentication method that the client-nas have decided on that determines what format the password needs to be in. The CHAP method requires clear text passwords. The MS-CHAP method requires a NT-PASSWORD or LM-PASSWORD format. The PAP method requires... and so on. Regards Mike D. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roberto Pioli Sent: 13 June 2003 10:52 To: [EMAIL PROTECTED] Subject: freeradius 0.8.1 + mysql + password md5 I try to use freeradius whith user in mysql and all work fine if I use clear password. If I use the web interface to write md5 password in the mysql db when I try to anthenticate I'm reject. If I use the web interface whit clear password option I have no problem. How can I use cripted password with mysql? Thanks Robert Pioli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 0.8.1 + mysql + password md5
I try to use freeradius whith user in mysql and all work fine if I use clear password. If I use the web interface to write md5 password in the mysql db when I try to anthenticate I'm reject. If I use the web interface whit clear password option I have no problem. How can I use cripted password with mysql? Thanks Robert Pioli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
