Re: NT hashed password in userPassword attribute.

[Jason Howk]

Sure.  The main reason why I am moving down this approach is two fold 
--  one systematic, one more philosophical.  First, in our particular 
implementation we need to use (i.e are locked into using) EAP-LEAP.  
LEAP supports two variants for the password, clear text and NT hashed 
password.  The LEAP limitation very quickly narrows down our choices in 
terms of password storage schemes.  Additionally, there are some other 
related issues that make using a one-way hash such as SHA-1 and SSHA 
worthless as I will never know the seed used to these algorithms.  For 
us to evolve to a better solution would require more development than 
can be accomplished in the time frame that I'm working in.

The more philosophical aspect is that we believe (again an opinion, not 
stated as a fact) based on the transmission characteristics and 
location and data being persisted in LDAP, that a password in any form 
other than clear text is better than clear text.  I'm not necessarily 
saying that having a password in an NT hash is more secure, per se, but 
that it presents an additional layer of obscurity.  I personally don't 
agree with the blanket statement that password's in clear text aren't 
any worse.  There is a time and a place for most things, but it's 
situational in nature, and in our situation it's not something that 
we're considering.

--J.
.  One, based on the location of our
On Feb 9, 2005, at 4:10 AM, [EMAIL PROTECTED] wrote:
        Hi,
I'm wondering if anyone  has ever tried to put an NT hash password
directly into the LDAP userPassword field, and have it authenticated
through free radius.
Just one nosy question (I'm always trying to collect data on that 
issue):
Why are you using NT hash passwords instead of cleartext passwords?

        TIA,
                Stefan


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html