On 08/31/2013 01:54 PM, Jeff Lee wrote:
> My encrypted password is salted using php crypt function. Is there a similar
> encryption function that I can add a salt to it?
I think the default crypt in PHP is the Unix DES crypt. You could prefix
your hash with {crypt}.
> For this option 'TranslatePasswordHook', is it possible to salt the password?
> Or perhaps, call a MySQL function to pass in the password received by
> radiator and allow MySQL to generate the hashed password and return to
> radiator for comparing against 'sp_GetUserPassword'?
Hmm, I suggest you should take a look at the different hashing and
encryption options in the reference manual ref.pdf. See sections 13.1.1
and 13.1.2 for User-Password and Encrypted-Password check items. You may
find the suitable {prefix} from there if your PHP crypt does something
else than Unix DES crypt.
If you want to pass the password to MySQL function, use %P to get
decoded User-Password.
Thanks,
Heikki
> Thanks,
> Jeff
>
>
> Sent from my iPhone
>
> On 30/08/2013, at 7:06 PM, Heikki Vatiainen <h...@open.com.au> wrote:
>
>> On 08/30/2013 10:46 AM, Jeffrey Lee wrote:
>>
>>> Hi, how do you perform a crypt (one-way hash) on a password to check
>>> against an encrypted password stored in MySql?
>>
>> You need to return the password hash with prefix that tells this is a
>> hash (and what kind of hash this is) and not a plain text passwords.
>>
>> For example:
>> - password is fred
>> - MySQL hashing produces 0569ef75321b8fed
>> - You need to return {mysql}0569ef75321b8fed so that Radiator knows to
>> hash the incoming User-Password first instead of comparing it directly
>> to 0569ef75321b8fed.
>>
>>> I have a <AuthBy SQL>
>>>
>>> AuthSelect call sp_GetUserPassword('%{User-Name}')
>>> AuthColumnDef 0, User-Password, check
>>>
>>> The stored procedure (MySql routine) will return the encrypted password,
>>> but since the password sent to Radiator is in clear-text, the
>>> authentication request will be rejected.
>>
>> Change sp_GetUserPassword() to return {mysql}hashedvalue instead of
>> plain hashedvalue.
>>
>> If that is not possible, use TranslatePasswordHook in the AuthBy:
>>
>> TranslatePasswordHook sub { return '{mysql}' . $_[0]; }
>>
>>> I'll need the clear-text password sent to radiator to be first encrypted
>>> (similar to PHP's crypt with salt) before comparing against database.
>>
>> A better way to do this is to let Radiator know what the DB has. In this
>> case you need to tell it the DB has MySQL hashes.
>>
>>> Does anyone have a solution to this?
>>
>> Please let us know if the above helps.
>>
>> Thanks,
>> Heikki
>>
>> --
>> Heikki Vatiainen <h...@open.com.au>
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>> NetWare etc.
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
