Re: Problem with Digest/OpenSER/Radius
Dariusz Dwornikowski wrote: > as i understand, I get Digest of a triple: > > user:realm:password. This is MD5 hashed. Then you don't have the passwords stored in MD5 hashed form. The MD5 hash includes *more* than just the password. Please be specific in describing what you're doing. It matters a LOT. > Radius gets it and takes the same from db and calculates it compares > and says Access-Accept or Reject. There is no way in my mind to have > my passwords not in cleat text in db. Am i correct? You are almost always better off storing clear-text passwords in the DB. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Digest/OpenSER/Radius
On 2007-03-15, at 21:31, <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> wrote: > You have a table on Alan DeKok's site explaining what protocol/ > password > hashing combinations are possible and which are not: > > http://deployingradius.com/documents/protocols/compatibility.html > > Ivan Kalik > Kalik Informatika ISP > as i understand, I get Digest of a triple: user:realm:password. This is MD5 hashed. Radius gets it and takes the same from db and calculates it compares and says Access-Accept or Reject. There is no way in my mind to have my passwords not in cleat text in db. Am i correct? -- Dariusz Dwornikowski [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Digest/OpenSER/Radius
You have a table on Alan DeKok's site explaining what protocol/password hashing combinations are possible and which are not: http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP Dana 15/3/2007, "Dariusz Dwornikowski" <[EMAIL PROTECTED]> piše: > >On 2007-03-15, at 16:55, Alan DeKok wrote: > >> Dariusz Dwornikowski wrote: >>> Hi. >>> My problem is such, that we store our passwords in Md5 in database, >>> when authorization request comes from ser, i get digest attributes. >>> I issue: >> >> Digest authentication and MD5 hashed passwords are incompatible. >> >> It won't work. >so I HAVE to user clear text passwords? I was thinking just to >compare md5 of password from SIP package. > >I also tried to use Digest-HA1 instead of User-Password in database, >but it does not work (i am using freeradius 1.1.4). >getting: rlm_digest: Configuration item "User-Password" or Digest-HA1 >is required for authentication. > > >> >>> And in Database I have: >>> >>> id = 1 >>> UserName = test001 >>> Attribute=User-Password >>> Value = test >>> >>> Now, my real database stores passwords as md5 hashes and the radius >>> compares the clear text passwords, how can i force it to compate md5 >>> hashes of passwords? >> >> Use the "MD5-Password" attribute, not the "User-Password" attribute. >> See "man rlm_pap" for more. > >can it be combined with digest ? as I am gennting all the time: > >rlm_digest: Configuration item "User-Password" or Digest-HA1 is >required for authentication. > > >> >> Alan DeKok. >> -- >> http://deployingradius.com - The web site of the book >> http://deployingradius.com/blog/ - The blog >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ >> users.html > >-- >Dariusz Dwornikowski >[EMAIL PROTECTED] > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Digest/OpenSER/Radius
On 2007-03-15, at 16:55, Alan DeKok wrote: > Dariusz Dwornikowski wrote: >> Hi. >> My problem is such, that we store our passwords in Md5 in database, >> when authorization request comes from ser, i get digest attributes. >> I issue: > > Digest authentication and MD5 hashed passwords are incompatible. > > It won't work. so I HAVE to user clear text passwords? I was thinking just to compare md5 of password from SIP package. I also tried to use Digest-HA1 instead of User-Password in database, but it does not work (i am using freeradius 1.1.4). getting: rlm_digest: Configuration item "User-Password" or Digest-HA1 is required for authentication. > >> And in Database I have: >> >> id = 1 >> UserName = test001 >> Attribute=User-Password >> Value = test >> >> Now, my real database stores passwords as md5 hashes and the radius >> compares the clear text passwords, how can i force it to compate md5 >> hashes of passwords? > > Use the "MD5-Password" attribute, not the "User-Password" attribute. > See "man rlm_pap" for more. can it be combined with digest ? as I am gennting all the time: rlm_digest: Configuration item "User-Password" or Digest-HA1 is required for authentication. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ > users.html -- Dariusz Dwornikowski [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Digest/OpenSER/Radius
Dariusz Dwornikowski wrote: > Hi. > My problem is such, that we store our passwords in Md5 in database, > when authorization request comes from ser, i get digest attributes. > I issue: Digest authentication and MD5 hashed passwords are incompatible. It won't work. > And in Database I have: > > id = 1 > UserName = test001 > Attribute=User-Password > Value = test > > Now, my real database stores passwords as md5 hashes and the radius > compares the clear text passwords, how can i force it to compate md5 > hashes of passwords? Use the "MD5-Password" attribute, not the "User-Password" attribute. See "man rlm_pap" for more. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html