On Wed, Oct 24, 2001 at 01:43:52PM -0400, Russell Enderby wrote: > > > [EMAIL PROTECTED] wrote: > > When someone asks to understand why CHAP does not work with radius and all you do > is say read the FAQ over and over and point to a function that does an md5 hash. > I am sure you can see how not helpful that is. CHAP does work with Radius... I know, because I use it. It does not work with already encrypted passwords (so you can say AuthType := system).
If you do not understand how a encrypted password/passphrase challenge is done, please read the according FAQs. Just a word to think about it: If the password is encrypted, why can't it be decrypted easily then, has to be brute-forced instead ? Keep in mind, encryption is math. All math operations can be reversed, if you know enough values for the variables. Read the crypt (3) manpage and understand the meaning of the SALT... and you will understand the problem. > > You're perfectly welcome to do a net search yourself. Please > > understand if I won't hold your hand. > If this is your help when someone posts a message on the list then replying was > not very useful except to waste both of our times. Asking a question is one thing, being offensive another. > > > > This encrypted password is compared to the encrypted CHAP password. > > That is, the RADIU SERVER does the comparison. > Yes. But the CRITICAL piece of information is that the radius server RECEIVES a > password with a one-way hash and the shadow file has a one-way hash as well so > there is no way to compare. By simple saying "You MUST have a clear text password > for the radius to work." means nothing. sure it does ... it means "you need clear text passwords" > Again thanks to Mark for this. an excuse to Alan is missing here ... (hint hint) > All it says is that it needs a clear text password. It does not answer WHY. As my Teacher always said: "Detailed Documentation can be found in the .c and .h files" What he meant was to understand the system you work on, to read the code and see what it does. > A shadow file contains a clear text password that has been one way hashed. And > now with Marks information knowing that you are given already a one-way hash it > will be hard to work with. Thats not correct. A shadowfile contains a oneway hash OF a password, not the password itself. You can only use that hashing algorithm, because supplying the same Password again will lead to the same hash. So, please, I can understand if you are intrested in details, but you have to understand how annoying it is, when you get asked things over and over again, regardless that almost (!) any information can be found on the internet. You just have to spend 15 Minutes on yahoo, and read the documents. cheers Andreas Faust - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
