RE: PHP MD5 with appended salt
xlat are placeholders in strings, usually used for substituting attribute
values, for example:
update reply {
Reply-Message := Hello %{User-Name}
}
The %{User-Name} is an xlat expansion.
The xlat expansion %{md5:text} expands to an md5 hash of text. So you
have something like:
if (%{md5:%{User-Password}:%{Salt}} == %{database password}) {
update control {
Auth-Type := 'Access-Accept'
}
}
There's also an %{sql:text} xlat, which executes the text portion as a
query and expands to the first column of the first row in the result set.
In the above condition you could use the sql xlat in place of %{Salt} and
%{database password} to retrieve the bits of info you need to authenticate
the user, though it's a little inefficient as you have to query twice.
There are ways to work around the limitations of sql xlat, for example you
can CONCAT the values of two columns and then break them apart with a regex
and capture groups. See man unlang.
-Arran
Nice :)
I have added the follwing to my autorize section and it works:
if (%{md5:%{User-Password}:SALT} == %{sql:SELECT radcheck.value
FROM `radcheck` WHERE radcheck.username ='%{User-Name}'}) {
update control {
Auth-Type := 'Accept'
}
}
else{
sql #to make sure that the sql module is loaded.
}
Is there a better war to solve the loading of the sql module?
If it do not include the else section, the %{sql:...} does not work. But if I
place it outside the else or when the user enters the wrong password the
database is queried twice.
Thanks for your help
- Rene
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PHP MD5 with appended salt
René Klomp wrote:
Is there a better war to solve the loading of the sql module?
If it do not include the else section, the %{sql:...} does not work. But if I
place it outside the else or when the user enters the wrong password the
database is queried twice.
Add it to the instantiate section of radiusd.conf.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PHP MD5 with appended salt
On 07.03.2013 17:15, René Klomp wrote:
xlat are placeholders in strings, usually used for substituting attribute
values, for example:
Is there a better war to solve the loading of the sql module?
If it do not include the else section, the %{sql:...} does not work. But if I
place it outside the else or when the user enters the wrong password the
database is queried twice.
in radiusd.conf, there's an instantiate {} section where you can put sql
Olivier B.
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PHP MD5 with appended salt
Hi all, I am trying to connect my freeradius server to a mysql database containing all users. I created a new view to represent the table structure needed by freeradius, but I a problem with validating the passwords. The passwords of my users are (from a PHP application) concatenated with a salt, which is the same for all passwords, and stored using the regular php md5 function: md5($userpass . ':' . $salt) How can I make freeradius to append this salt to the password as well and validate the password in the correct way? Is there a default way to do this? Or should I create a module to do this? Regards, René - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PHP MD5 with appended salt
On 06.03.2013 17:29, René Klomp wrote: Hi all, I am trying to connect my freeradius server to a mysql database containing all users. I created a new view to represent the table structure needed by freeradius, but I a problem with validating the passwords. The passwords of my users are (from a PHP application) concatenated with a salt, which is the same for all passwords, and stored using the regular php md5 function: md5($userpass . ':' . $salt) How can I make freeradius to append this salt to the password as well and validate the password in the correct way? Is there a default way to do this? Or should I create a module to do this? First question, how are your users identifying with freeradius ? PAP ? CHAP ? MSCHAP ? EAP ? If the password is sent in clear by the user, you could use the md5 xlat function then compare the value in your database. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PHP MD5 with appended salt
On 06.03.20013 17:59 Olivier Beytrison wrote: On 06.03.2013 17:29, René Klomp wrote: Hi all, I am trying to connect my freeradius server to a mysql database containing all users. I created a new view to represent the table structure needed by freeradius, but I a problem with validating the passwords. The passwords of my users are (from a PHP application) concatenated with a salt, which is the same for all passwords, and stored using the regular php md5 function: md5($userpass . ':' . $salt) How can I make freeradius to append this salt to the password as well and validate the password in the correct way? Is there a default way to do this? Or should I create a module to do this? First question, how are your users identifying with freeradius ? PAP ? CHAP ? MSCHAP ? EAP ? If the password is sent in clear by the user, you could use the md5 xlat function then compare the value in your database. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html At the moment I am testing with PAP. What do you mean with 'the md5 xlat'. I have no previous experience with radius, this is my first project, so if you can please elaborate a bit more. Regards, René Klomp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PHP MD5 with appended salt
At the moment I am testing with PAP.
Ok. Because it will only ever work with PAP.
What do you mean with 'the md5 xlat'.
xlat are placeholders in strings, usually used for substituting attribute
values, for example:
update reply {
Reply-Message := Hello %{User-Name}
}
The %{User-Name} is an xlat expansion.
The xlat expansion %{md5:text} expands to an md5 hash of text. So you
have something like:
if (%{md5:%{User-Password}:%{Salt}} == %{database password}) {
update control {
Auth-Type := 'Access-Accept'
}
}
There's also an %{sql:text} xlat, which executes the text portion as a
query and expands to the first column of the first row in the result set.
In the above condition you could use the sql xlat in place of %{Salt} and
%{database password} to retrieve the bits of info you need to authenticate
the user, though it's a little inefficient as you have to query twice.
There are ways to work around the limitations of sql xlat, for example you can
CONCAT the values of two columns and then break them apart with a regex and
capture groups. See man unlang.
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
