Russell Enderby <[EMAIL PROTECTED]> wrote:
> Since you are going to act like a baby about this I can talk down to
> your level:
Hmm... ad hominem attacks. I didn't call you names. I didn't talk
down to you.
I'll toss a coin... I lost. I guess I'll respond to the rest of
your message...
> I did not ask for how a CHAP password is encrypted with md5. I
> asked for a block diagram of how the CHAP protocol works between the
> client, nas, and radius server and all the handshaking in between.
You're perfectly welcome to do a net search yourself. Please
understand if I won't hold your hand.
> This pittly function that calls librad_md5_calc() when passed a string means
> absolutely nothing about this conversation.
Umm.. that function implements CHAP password encoding. If it's
irrelevant, I don't know why.
> I doubt that you comprehend my question and a full understand of the
> CHAP protocol yourself.
I feel so hurt by that.
> This is key information that I am talking about. If what you say
> below about how the radius server sends the encrypted password back
> to the NAS then the answer to this is:
No, please read my response again. I did NOT say that. The RADIUS
server NEVER sends the encrypted password back to the NAS. What I
said was:
> > It's the other way around. The plain text password supplied by the
> > configuration at the RADIUS server is encrypted using information from
> > the encrypted CHAP password, as send in the RADIUS packet from the
> > NAS.
> >
> > This encrypted password is compared to the encrypted CHAP password.
That is, the RADIU SERVER does the comparison.
> No. The RAS receives the password from the radius server.
If you really believe that, then you don't understand how RADIUS
works, either. The RFC's are publicly available. The source to the
radius server is publicly available. Feel free to read them.
> > This encrypted password is compared to the encrypted CHAP password.
>
> This completely contradicts what you said above.
Only if you completely misunderstand it's meaning.
> > Saying that shows you don't understand how CHAP works. It's in the
> > FAQ for crying out loud. Go read the FAQ to understand it better.
> >
>
> The FAQ does NOT EXPLAIN JACK! If you are referring to section 4.4
> and 4.5 in the FAQ please show me where in the FAQ the diagrams are
> that show the PHYSICAL CHAP protocol. This means the actual size of
> the packets, the contents of each, the fields in each packets, the
> sequence of the packets, who initiates the packets and what reponses
> are expected.
I refuse to explain that. Go read the RADIUS RFC's, or the CHAP
RFC. They're really not hard to find. What you want is described
there.
If you're unwilling to read the RFC's yourself (as most people
implementing RADIUS have done already), then please understand if I'm
not willing to explain them to you.
> The FAQ does not explain any of this and if you think it does then
> you must have a copy that is not on their website.
The FAQ explains how CHAP interacts with the password files and
RADIUS. If that isn't good enough, go read the RFC's yourself.
> > To repeat: The shadow password file does NOT contain the plain text
> > password. So it's IMPOSSIBLE for the radius server to use the plain
> > text password to get an encrypted CHAP password, as the radius server
> > DOES NOT have access to a plain text password.
> >
>
> I repeat. This statement is BS. A shadow password file contains a
> PLAIN TEXT PASSWORD that you can compare against.
This is the part where I laugh hysterically. You're wrong. A
simple 'man shadow' on a Unix box would show you:
------
SHADOW(3) SHADOW(3)
NAME
shadow - encrypted password file routines
...
DESCRIPTION
shadow manipulates the contents of the shadow password
file, /etc/shadow. The structure in the #include file is
struct spwd {
char *sp_namp; /* user login name */
char *sp_pwdp; /* encrypted password */
...
----
See? the password is encrypted, and it isn't available in plain
text.
But I doubt you'll believe me.
> Again here are the two scenarios:
...
They're nonsense. You even contradict yourself:
> #1: The radius server receives a password to check. It encrypts it
> with md5 and does a text compare to the shadow file and your done.
So here you say that the shadow passwords are encrypted.
Previously, you said they weren't.
> We are not talking rocket science here. And the sarcasm your help by saying
> "EVERYTHING IS IN THE FAQ" is worthless to be posted as a reply.
... only if you're unwilling to read and understand the FAQ.
> Saying the same thing over and over gets you know where.
... only if the person I'm talking to refuses to listen.
Sorry, but you've used personal attacks, you've contradicted
yourself, you've shown that you're unwilling to do any work yourself,
and that you want everyone else to do the work for you. You've shown
that you don't understand simple explanations, and then yell in ALL
CAPS at other people because they don't understand your confused
questions.
These are all the markings of a kook. Please understand (yeah, right)
if I don't bother replying to any more of your messages, no matter how
personal the attacks get.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
