On Wed, 26 Jun 2002 05:35:04 +0200, [EMAIL PROTECTED] wrote:
>> Well, it doesn't look like. For example, look at the following three lines:
>> all of them are hashes for the word 'test'. Any of them are valid, that is,
>> if I log and type the password 'test' (without the quotes), any of these
>> lines will return a access-accept.
>> $1$2zGHwN5F$ytHiyCHtFgKkXU6opsHI3/
>> $1$I61qcigH$kSds2z.MAvRpQqSC70VXp0
>> $1$xofKQZIU$cc6n6NjIpaE42itF3QK431
>Remember there is also always a salt when calling crypt. Use a different salt
>and you will have different but valid hashes. crypt when called without a salt
>(which is the case when creating a user through dialup_admin) will randomly
>generate one.
Ok, but my doubt is: how can radius correctly check that a hash corresponds
to the password without knowing what salt was used to generate that hash?
I saw that /src/main/auth.c, on line 300 (for the june 26 update), this is the check:
crypted_password = crypt((char *)auth_item->strvalue,
(char *)password_pair->strvalue);
well, the second parameter is the salt, but I'm not a C programmer, so I don't know
how to debug it to find out which value is this.
>> My question is: HOW radius finds the correct password? It will not try
>> every hash until it finds the correct one, or it checks only for a small size
>> of the hash?
>Do a cvs update or just remove the substr call in lib/sql/password_check.php3.
>By default a two character salt was passed to crypt. You are using MD5 passwords
>so crypt would do DES and try to check the result with an MD5 encrypted password
>and eventually fail. Now it should work must better (i hope).
Yes, works sweetly! Thanks for this! And I'm sorry to say you I will use your check
password code so I can let the user change this own password! Of course if you
don't make any objection (Yes I read the /LICENSE file, but is always nice to ask
first >:-) )
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
