> Joe Modjeski wrote:
>
>> The ENCRYPT() function should be the one to use since MySQL just
>> passes it through to your systems crypt() function. I know on the
>> American version of the crypto libs on FreeBSD(using export controlled
>> crypto) and Linux you can control the type of password created by the
>> salt that was used to create the hash.
>>
>> A good test is to to encrypt in MySQL the same password you use to
>> login to your UNIX box passing it the system hashed version (out of
>> /etc/passwd or /etc/shadow) of the password as the salt. ie
>>
>> SELECT ENCRYPT('mypass','<hashedpass>');
>>
>> MySQL should return an exact copy of <hashedpass>. If not then it is
>> possible that MySQL is linked to the wrong crypto libs.
>
> This might be true. I use MD5 passwords on my RH7.1 box, but the return
> value of ENCRYPT() looks decidedly like the old crypt() (it's SHORT!)
>
> I'm not at the office right now; when I get there I'll simply try to
> copy the password field from /etc/shadow into the table and see what
> happens.
>
>> I have FreeRadius running on 4 RH7 boxes using both DES and MD5
>> crypted hashes and have had no problems. With the exeption of some
>> old FreeBSD hashes that used a 16 character MD5 salt.
>
> But do you use MySQL, especifically the stock RedHat RPM one (like me)?
> It might have been miscompiled.
>
Yes I am using MySQL, but no I am not using the binary version. The stock
RedHat RPM should be linked to the proper crypto libs (I would hope). I
just did a test(on RH7.1 with stock RedHat RPM MySQL) and by default it
seems that mysql will use a DES salt to the ENCRYPT() call.
I have to support CHAP authentications so all of my new users are using
clear-text passwords. I do have alot of crypted passwords (both DES and
MD5) left over from legacy implementations. I would agree with Alan
though, starting to store clear-text passwords now would be a good thing
unless you don't ever plan on supporting CHAP. I got stung a half a year
ago with 5000 crypted passwords and a new provider that would only send me
CHAP requests. Needless to say it was a LONG migration to CHAP.
This brings up another point though, the attribute row that stores the
password in the radcheck table. You are using the 'Crypt-Password'
attribute instead of the 'Password' attribute? I got stung by this when I
did my initial import from my MySQL patched Cistron.
Joe
>> Joe
>
> --
> Juan Carlos Castro y Castro | "Standing up to an evil system is
> [EMAIL PROTECTED] | exhilarating." -Richard Stallman
> Rio de Janeiro - Brazil |
> DC4DC #25 | http://www.vialink.com.br/~jcastro
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Joe Modjeski
Systems Administrator
CommSpeed
[EMAIL PROTECTED]
--------------------------------------------------
"If man evolved from monkeys and apes, why do we still have monkeys and
apes?" - From someone out there
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
