On Thu, 2006-16-03 at 10:45 +0100, KNO wrote: > On 3/16/06, Alan DeKok <[EMAIL PROTECTED]> wrote: > > "Fabiano Rodrigo Boscatto" <[EMAIL PROTECTED]> wrote: > > > Hi there, i have freeradius working fine with mysql authentication. The > > > problem is that the User-Password is stored in mysql table as clear text. > > > Is > > > there a way to crypt that? > > > > Change User-Password to Crypt-Password, and encrypt the password > > with the Unix crypt() tool. > > > > Then CHAP & MS-CHAP stop working. > > > > If you want to encrypt the password with some kind of key, and then > > make the key available to FreeRADIUS too, that might be useful. Maybe. > > > > But it's not as useful as it might first look. You're better off > > controlling access to the entire MySQL DB, which contains a lot more > > security information than the clear-text password. > > > > Alan DeKok. > > And what I must to do if I want to use MD5 to store the passwords? > Greets, Aitor > If you are using a Unix/Linux system that can use MD5 passwords in the password file, then -libcrypt likely supports MD5 passwords.
I have tested using SHA1/DES/MD5 encrypted passwords from the system password file on FreeBSD and put them in SQL and it worked. One thing I discovered while testing was that you will need to set Auth-Type := Crypt-Local and Crypt-Password == '<encrypted-data>'. I tend to put the Auth-Type settings in radgroupcheck and assign users with encrypted passwords to different groups than those with clear text. Example: 1 chap-unlimited Auth-Type := Local 2 pap-unlimited Auth-Type := Crypt-Local Then radcheck would be like : 1 fredf User-Password == wilma 2 troll Crypt-Password == $1$f3d5.Cf9$aeM0tnhrmahLR/yHMlEwU1 And usergroup would be like : 1 fredf chap-unlimited 2 troll pap-unlimited I have just started working on a new PHP management system and am intending on supporting the system crypt() command for encoding passwords when updated. Dialup Admin has not been updated much, since the last time I used it, and it does not provide many of the functions I need. I am using code I have written from scratch, but in the day I have been working on it I have almost got a function that correctly parses radiusd.conf and any files included. Once I can accurately read the all the config files that are not intended on being deprecated then I will make the functions to modify them. Once that is done I will concentrate on functions to maintain MySQL and PostgreSQL users and accounting tasks. It is a fairly large task, and it may get sidelined for or more simple system, but I want to start using FreeRadius, so I can decommission the Cistron server I customized to send accounting info directly to a PostgreSQL data base. Although the current system has been working flawlessly for over 5 years, FreeBSD has a lot more functionality, flexibility and is currently maintained by more people than just me. TTFN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
