Since you are going to act like a baby about this I can talk down to your level:
[EMAIL PROTECTED] wrote: > Russell Enderby <[EMAIL PROTECTED]> wrote: > > > Please direct me to the CHAP spec and I will look it over > > See the source code of the server for a CHAP encoding > implementation. > src/lib/radius.c, function rad_chap_encode() > I did not ask for how a CHAP password is encrypted with md5. I asked for a block diagram of how the CHAP protocol works between the client, nas, and radius server and all the handshaking in between. This pittly function that calls librad_md5_calc() when passed a string means absolutely nothing about this conversation. > > > but here is the bottom line: > > I really doubt that.. > I doubt that you comprehend my question and a full understand of the CHAP protocol yourself. > > > * a user must authenticate with some key(password) > > Yes. > Bravo. > > > * a RAS will need to send this information up to the radius box to > > see if they are permitted. > > Yes, so? > This is key information that I am talking about. If what you say below about how the radius server sends the encrypted password back to the NAS then the answer to this is: No. The RAS receives the password from the radius server. > > > Some sort of password or "challenge" needs to be sent to compare to. > > Yes, so? So... > > > * This "challenge" or password sent to the radius box for CHAP is > > currently compared to the 'plain text' users file. > > No. Absolutely not. See the source for rad_chap_encode() to see > why. > > It's the other way around. The plain text password supplied by the > configuration at the RADIUS server is encrypted using information from > the encrypted CHAP password, as send in the RADIUS packet from the > NAS. > > This encrypted password is compared to the encrypted CHAP password. > This completely contradicts what you said above. See my previous statement. > > > But it SHOULD be able to be compared to the /etc/shadow file also. > > Saying that shows you don't understand how CHAP works. It's in the > FAQ for crying out loud. Go read the FAQ to understand it better. > The FAQ does NOT EXPLAIN JACK! If you are referring to section 4.4 and 4.5 in the FAQ please show me where in the FAQ the diagrams are that show the PHYSICAL CHAP protocol. This means the actual size of the packets, the contents of each, the fields in each packets, the sequence of the packets, who initiates the packets and what reponses are expected. The FAQ does not explain any of this and if you think it does then you must have a copy that is not on their website. > > To repeat: The shadow password file does NOT contain the plain text > password. So it's IMPOSSIBLE for the radius server to use the plain > text password to get an encrypted CHAP password, as the radius server > DOES NOT have access to a plain text password. > I repeat. This statement is BS. A shadow password file contains a PLAIN TEXT PASSWORD that you can compare against. Again here are the two scenarios: #1: The radius server receives a password to check. It encrypts it with md5 and does a text compare to the shadow file and your done. #2: If you are telling me that we only get the name of the user and we send back the encrypted password to be decoded by the NAS then we go and read the shadow file and we send it down to the NAS and it needs to do a md5 encode on the password handed to it by the user and again do a text compare of the two strings. We are not talking rocket science here. And the sarcasm your help by saying "EVERYTHING IS IN THE FAQ" is worthless to be posted as a reply. > > Go read the FAQ. CHAP requires access to a plain text password, and > you CANNOT use /etc/passwd, or /etc/shadow for CHAP authentication. > Anyone who tells you different is lying. Saying the same thing over and over gets you know where. Russell Enderby > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
