Dear [EMAIL PROTECTED],
Password decryption must be performed during authorize, not authenticate
stage.
--Tuesday, June 24, 2003, 12:45:25 PM, you wrote to [EMAIL PROTECTED]:
mmr> Hi!
mmr> Two questions.
mmr> MS-CHAP an similar auth-methods require to know users plain passwords.
mmr> i want to keep passwords in file and load it by rlm_passwd. All works
mmr> good. but for more security i think keep it crypted.
mmr> module mschap wants to see decrypted (plain) password.
mmr> IMHO, this is good idea to decrypt password by rlm_perl. I can use any
mmr> method to encrypt-decrypt password. But.
mmr> when rlm_perl renews attibutes values it use pairmove function, which
mmr> ignore all new values for User-Password and Crypt-Password.
mmr> there is no more suitable attributes in dictionary. I can create
mmr> individual attribute and use them, but it is not very good - i have
mmr> to check dictionaries after each update.
mmr> How to decode Password more suitable?
mmr> second question.
mmr> Where to insert decoding code?
mmr> rlm_perl have both autorize and authenticate methods to handle
mmr> radius's calling.
mmr> IMHO authenticate is better place.
mmr> when i try to insert perl to authenticate section i can make it by 2
mmr> ways.
mmr> first :
mmr> authenticate {
mmr> perl
mmr> authtype MS-CHAP {
mmr> mschap
mmr> }
mmr> }
mmr> In this case perl is not executed.
mmr> when i try
mmr> authenticate {
mmr> authtype MS-CHAP {
mmr> perl
mmr> mschap
mmr> }
mmr> }
mmr> perl executed, but mschap ignored :(
mmr> Mike
mmr> -
mmr> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
~/ZARAZA
Когда птичка погибает от обжорства, ее нанизывают на вертел. (Лем)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
