Hi,
> once the traffic has gotten to the endpoint I would think (stepping to limb
> here) that I am dealing
> with a decrypted stream of traffic and what ever hash was completed on the
> client to the
> password. so, if I tell the client to use mschapv2, to hash the password,
> then I would be able to
> tell freeradius to do that to "un-hash" it.
I wonder what has been so unclear about my original posting.
Once the password has been obfuscated (either by e.g. MD5 or DES, i.e.
Unix hash or by CHAP or MS-CHAP), there is _no_possibility_at_all_to_
_get_back_to_the_original_password!
It's impossible in theory and in practice (unless you're willing to
spend a couple of CPU-years on brute force attacks or the password
was a particularly bad one which can be cracked by a dictionary
attack, but even then, it's typically going to take at least some
hours to get them).
You can _either_ send clear text password over the (possibly encrypted)
connection (using PAP) [then you can "obfuscate" the password according
to your system's needs and see if the obfuscated password matches the
one stored on your system] _or_ you can send "obfuscated" passwords
((MS-)CHAP) [then you have to have the clear-text password stored on
your server, so it can obfuscate the clear-text password and see
if that matches the obfuscated password].
There is no way you can use obfuscated both the transfered passwords
and the stored password as then it's impossible to compare them.
Regards,
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
