Re: Password Learning?
On Fri, 2005-03-04 at 16:35, Dustin Doris wrote: > On Wed, 2 Mar 2005, Nick Bright wrote: > > > Although I just had a thought. I can put the unix Crypt()'d password in > > the database if I use Password-Crypt (I think that's the flag, I'll look > > in the docs, I know I've seen it). > > > > If you have access to the /etc/passwd and can get the crypt passwords that > should work. In sql just set the attribute as Crypt-Password. If you are > using ldap, just prefix the password with {crypt} (added that in case > anyone searches the archives looking for something similar but w/ ldap). > > That would be the easiest way to go. Yeah, I figured that out. . . Have that set up and working (some of my recent posts have been dealing with that) > > Otherwise, you could use an external script. If you know perl, look into > rlm_perl. You can call it at any point in the authentication process and > you could create the sql calls to insert the username/password during > auth. Or you could just write a script in another language. The benefit > of the perl module is that its persistant. Check out the exec echo part > of radiusd.conf if you want to use another language. > I'll probably end up using a script to convert peoples passwords when they log in, or just do it with a query (since I'm logging the plain text password to SQL anyways) later. > I think they also have rlm_python if you know python, which will also > provide a persistant connection to the script (I believe). > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Learning?
On Wed, 2 Mar 2005, Nick Bright wrote: > Although I just had a thought. I can put the unix Crypt()'d password in > the database if I use Password-Crypt (I think that's the flag, I'll look > in the docs, I know I've seen it). > If you have access to the /etc/passwd and can get the crypt passwords that should work. In sql just set the attribute as Crypt-Password. If you are using ldap, just prefix the password with {crypt} (added that in case anyone searches the archives looking for something similar but w/ ldap). That would be the easiest way to go. Otherwise, you could use an external script. If you know perl, look into rlm_perl. You can call it at any point in the authentication process and you could create the sql calls to insert the username/password during auth. Or you could just write a script in another language. The benefit of the perl module is that its persistant. Check out the exec echo part of radiusd.conf if you want to use another language. I think they also have rlm_python if you know python, which will also provide a persistant connection to the script (I believe). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Learning?
On Wed, 2005-03-02 at 11:51, Alan DeKok wrote: > Nick Bright <[EMAIL PROTECTED]> wrote: > > Could you be a little more specific? I don't see how to do that right > > off. If you could point me in the right direction, I think I could > > figure it out. > > My suggestion would be to run a script if the user fails > authentication, to check if the password is in the SQL database, and > add it, if not. I'll look in the documentation to see how to do this, thanks. > > This means that the users first request will be rejected, but the > second one will be OK. Whatever it takes :) > > There is NO facility within the server do to complex updates like > this, because those updates are not normally part of authenticating > the user. Yeah, and it really /shouldn't/ need to be. This is more of a custom kludge to solve a specific problem. . . though perhaps that might be a nifty module to have in the software? Something someone in my situation could enable to allow migration from one server to another when passwords are encrypted. Although I just had a thought. I can put the unix Crypt()'d password in the database if I use Password-Crypt (I think that's the flag, I'll look in the docs, I know I've seen it). > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Learning?
Nick Bright <[EMAIL PROTECTED]> wrote: > Could you be a little more specific? I don't see how to do that right > off. If you could point me in the right direction, I think I could > figure it out. My suggestion would be to run a script if the user fails authentication, to check if the password is in the SQL database, and add it, if not. This means that the users first request will be rejected, but the second one will be OK. There is NO facility within the server do to complex updates like this, because those updates are not normally part of authenticating the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Learning?
On Tue, 2005-03-01 at 17:26, Alan DeKok wrote: > Nick Bright <[EMAIL PROTECTED]> wrote: > > My question is this: Can FreeRADIUS *learn* passwords, if a user has no > > password set? What I mean is that when it queries the database, if it > > finds a NULL password, it would *SET* the password to whatever was > > submitted? > > If you run an external script, yes. > Could you be a little more specific? I don't see how to do that right off. If you could point me in the right direction, I think I could figure it out. > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Learning?
Nick Bright <[EMAIL PROTECTED]> wrote: > My question is this: Can FreeRADIUS *learn* passwords, if a user has no > password set? What I mean is that when it queries the database, if it > finds a NULL password, it would *SET* the password to whatever was > submitted? If you run an external script, yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Password Learning?
I have a rather interesting problem here. I'm configuring a new realm for some services for a large group of customers we aquired in a buy-out of another company. The problem is, they stored their users as local users in their systems, and didn't have it tied to account at all, so I have no difinitive username list, and certainly no password list. While I think I'll be able to get a list of usernames to plug in to the SQL database (I had no problems getting FreeRADIUS set up to do what I wanted to do as far as querying SQL and talking to multiple realms), but I still have the password problem. My question is this: Can FreeRADIUS *learn* passwords, if a user has no password set? What I mean is that when it queries the database, if it finds a NULL password, it would *SET* the password to whatever was submitted? I do realize that there are security implications with doing this. However, this would be a temporary thing for us, to make the transition between companies a lot smoother for the users. If this isn't a current feature any speculation, comments, or suggestions on how to make it happen are welcome. -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html