Russell Enderby <[EMAIL PROTECTED]> wrote: > Please direct me to the CHAP spec and I will look it over
See the source code of the server for a CHAP encoding implementation. src/lib/radius.c, function rad_chap_encode() > but here is the bottom line: I really doubt that.. > * a user must authenticate with some key(password) Yes. > * a RAS will need to send this information up to the radius box to > see if they are permitted. Yes, so? > Some sort of password or "challenge" needs to be sent to compare to. Yes, so? > * This "challenge" or password sent to the radius box for CHAP is > currently compared to the 'plain text' users file. No. Absolutely not. See the source for rad_chap_encode() to see why. It's the other way around. The plain text password supplied by the configuration at the RADIUS server is encrypted using information from the encrypted CHAP password, as send in the RADIUS packet from the NAS. This encrypted password is compared to the encrypted CHAP password. > But it SHOULD be able to be compared to the /etc/shadow file also. Saying that shows you don't understand how CHAP works. It's in the FAQ for crying out loud. Go read the FAQ to understand it better. To repeat: The shadow password file does NOT contain the plain text password. So it's IMPOSSIBLE for the radius server to use the plain text password to get an encrypted CHAP password, as the radius server DOES NOT have access to a plain text password. Go read the FAQ. CHAP requires access to a plain text password, and you CANNOT use /etc/passwd, or /etc/shadow for CHAP authentication. Anyone who tells you different is lying. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
