Good, I guess it would be a boring world if we never tried to challenge each other... ;)
Tom. > -----Original Message----- > From: Artur Hecker [mailto:[EMAIL PROTECTED] > Sent: Thursday, February 26, 2004 1:15 PM > To: [EMAIL PROTECTED] > Subject: Re: PEAP / MSCHAP2 / LDAP > > > that's getting quite consuming, but who says a must say b, right? :-) > > > > Please do not take my e-mails personally... I must say that > I thought > > you might be one of those show offs who pick through > peoples e-mails looking > > for mistakes and then completely mis the point of the > e-mail. My appologies > > if I am mistaken. > > i actually almost never reply :-) one thing, if i was a show-off, > wouldn't it be much more comfortable for me to take 5 min in order to > take a look at the specs and show off even more instead of making > assumptions based only on what has been said before? just > type "nt-hash" > in google :-) > > > > I just think you might have misread the post you reacted to. > > perhaps! i will immediately admit that. > > > >>It is possible to use PEAP / MSCHAPv2 > >>with LDAP, however one must store the NT-Hash password in > LDAP. I've had the > >>same problem with crypts as my password encryption in LDAP. > I ended having to > >>create an extra LDAP attribute for NT-Hash passwords. > > this is the part which i understand as misleading. since the author > talks about crypt, one could suppose that this is the general > approach. > i.e. if the protocol uses crypt, you should store the > crypt-password in > the DB, etc. > > you see, when you try to explain the basic problem, you have > to insist > on the fact that the database and the client must hash the > same data, be > this data X or hash(X) or DES(X) - it doesn't change > anything. this data > must be available on both ends, point. > > perhaps my reaction was due to somebody who's recently proposed to me > the following "trick" to make PEAP work with backend Unix' system > authentication: with the same argument of double hashing, the > idea was > to type the string stored in the shadow file at the PEAP prompt... > > now after the discussion with you i see that applied to > ms-chap the post > seems to be correct. that's the reason why i've written "i think that > this is wrong" and not "this is wrong" in my original post. > > > ciao > artur > > > > -- > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
