[EMAIL PROTECTED] wrote:
> Russell Enderby <[EMAIL PROTECTED]> wrote:
> > Since you are going to act like a baby about this I can talk down to
> > your level:
>
> Hmm... ad hominem attacks. I didn't call you names. I didn't talk
> down to you.
>
> I'll toss a coin... I lost. I guess I'll respond to the rest of
> your message...
>
When someone asks to understand why CHAP does not work with radius and all you do
is say read the FAQ over and over and point to a function that does an md5 hash.
I am sure you can see how not helpful that is.
>
> > I did not ask for how a CHAP password is encrypted with md5. I
> > asked for a block diagram of how the CHAP protocol works between the
> > client, nas, and radius server and all the handshaking in between.
>
> You're perfectly welcome to do a net search yourself. Please
> understand if I won't hold your hand.
If this is your help when someone posts a message on the list then replying was
not very useful except to waste both of our times.
>
> > This pittly function that calls librad_md5_calc() when passed a string means
> > absolutely nothing about this conversation.
>
> Umm.. that function implements CHAP password encoding. If it's
> irrelevant, I don't know why.
>
It is when we are not talking about how a encoded password works. Instead I was
trying to understand how the actual comparison happens. This was clearly answered
by Mark.
>
> > I doubt that you comprehend my question and a full understand of the
> > CHAP protocol yourself.
>
> I feel so hurt by that.
>
Im sure.
>
> > This is key information that I am talking about. If what you say
> > below about how the radius server sends the encrypted password back
> > to the NAS then the answer to this is:
>
> No, please read my response again. I did NOT say that. The RADIUS
> server NEVER sends the encrypted password back to the NAS. What I
> said was:
>
> > > It's the other way around. The plain text password supplied by the
> > > configuration at the RADIUS server is encrypted using information from
> > > the encrypted CHAP password, as send in the RADIUS packet from the
> > > NAS.
> > >
> > > This encrypted password is compared to the encrypted CHAP password.
>
> That is, the RADIU SERVER does the comparison.
Yes. But the CRITICAL piece of information is that the radius server RECEIVES a
password with a one-way hash and the shadow file has a one-way hash as well so
there is no way to compare. By simple saying "You MUST have a clear text password
for the radius to work." means nothing.
>
> > No. The RAS receives the password from the radius server.
>
> If you really believe that, then you don't understand how RADIUS
> works, either. The RFC's are publicly available. The source to the
> radius server is publicly available. Feel free to read them.
>
Again thanks to Mark for this.
>
> > > This encrypted password is compared to the encrypted CHAP password.
> >
> > This completely contradicts what you said above.
>
> Only if you completely misunderstand it's meaning.
>
> > > Saying that shows you don't understand how CHAP works. It's in the
> > > FAQ for crying out loud. Go read the FAQ to understand it better.
> > >
> >
> > The FAQ does NOT EXPLAIN JACK! If you are referring to section 4.4
> > and 4.5 in the FAQ please show me where in the FAQ the diagrams are
> > that show the PHYSICAL CHAP protocol. This means the actual size of
> > the packets, the contents of each, the fields in each packets, the
> > sequence of the packets, who initiates the packets and what reponses
> > are expected.
>
> I refuse to explain that. Go read the RADIUS RFC's, or the CHAP
> RFC. They're really not hard to find. What you want is described
> there.
>
> If you're unwilling to read the RFC's yourself (as most people
> implementing RADIUS have done already), then please understand if I'm
> not willing to explain them to you.
>
Thanks for Mark again for this.
>
> > The FAQ does not explain any of this and if you think it does then
> > you must have a copy that is not on their website.
>
> The FAQ explains how CHAP interacts with the password files and
> RADIUS. If that isn't good enough, go read the RFC's yourself.
>
All it says is that it needs a clear text password. It does not answer WHY.
>
> > > To repeat: The shadow password file does NOT contain the plain text
> > > password. So it's IMPOSSIBLE for the radius server to use the plain
> > > text password to get an encrypted CHAP password, as the radius server
> > > DOES NOT have access to a plain text password.
> > >
> >
> > I repeat. This statement is BS. A shadow password file contains a
> > PLAIN TEXT PASSWORD that you can compare against.
>
> This is the part where I laugh hysterically. You're wrong. A
> simple 'man shadow' on a Unix box would show you:
>
A shadow file contains a clear text password that has been one way hashed. And
now with Marks information knowing that you are given already a one-way hash it
will be hard to work with.
>
> ------
> SHADOW(3) SHADOW(3)
>
> NAME
> shadow - encrypted password file routines
> ...
> DESCRIPTION
> shadow manipulates the contents of the shadow password
> file, /etc/shadow. The structure in the #include file is
>
> struct spwd {
> char *sp_namp; /* user login name */
> char *sp_pwdp; /* encrypted password */
> ...
> ----
>
> See? the password is encrypted, and it isn't available in plain
> text.
>
> But I doubt you'll believe me.
>
> > Again here are the two scenarios:
> ...
>
> They're nonsense. You even contradict yourself:
>
> > #1: The radius server receives a password to check. It encrypts it
> > with md5 and does a text compare to the shadow file and your done.
>
> So here you say that the shadow passwords are encrypted.
> Previously, you said they weren't.
>
> > We are not talking rocket science here. And the sarcasm your help by saying
> > "EVERYTHING IS IN THE FAQ" is worthless to be posted as a reply.
>
> ... only if you're unwilling to read and understand the FAQ.
>
> > Saying the same thing over and over gets you know where.
>
> ... only if the person I'm talking to refuses to listen.
>
> Sorry, but you've used personal attacks, you've contradicted
> yourself, you've shown that you're unwilling to do any work yourself,
> and that you want everyone else to do the work for you. You've shown
> that you don't understand simple explanations, and then yell in ALL
> CAPS at other people because they don't understand your confused
> questions.
>
> These are all the markings of a kook. Please understand (yeah, right)
> if I don't bother replying to any more of your messages, no matter how
> personal the attacks get.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
