Please direct me to the CHAP spec and I will look it over but here is the bottom line:
* a user must authenticate with some key(password) * a RAS will need to send this information up to the radius box to see if they are permitted. Some sort of password or "challenge" needs to be sent to compare to. * This "challenge" or password sent to the radius box for CHAP is currently compared to the 'plain text' users file. But it SHOULD be able to be compared to the /etc/shadow file also. Russell Kostas Kalevras wrote: > On Wed, 24 Oct 2001, Russell Enderby wrote: > > > But other more commercial radius packages such as steel belted and such allow > > this. > > > > Frankly I dont see why this is a big deal. Why cant radiusd simply take the > > password handed to it by CHAP and then compare it to the system shadow file > > instead of the plain text password given in the users file? > > > > If you can auth from a plain text file or a sql database then the protocol clearly > > does not care where you compare the password to and it is a restriction of free > > radius and not the protocol. > > > > Russell > > > > Please, read the CHAP specification. The user password is never sent through the > wire. Only a challenge request,response. That is why you NEED the user password > in plain text in order to check if the challenge response is valid. > > -- > kkalev > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
