Again... you can't decrypt the password. If you could (and do it quickly
enough
to be useful) I'd be pretty scared because that implies the encryption
is way too weak.
As Mike suggested you need to setup a hook to start logging the
passwords people use to a file... then you _WILL_ have their cleartext
passwords and can start migrating over to putting cleartext passwords
into your LDAP database instead of the encrypted version (or in addition
to (e.g. 'userpassword' _AND_ 'encryptedpassword').
-Steve
----- Original Message -----
From: "Felicetti, Stephen A." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, April 12, 2000 8:13 AM
Subject: RE: (RADIATOR) Decrypting passwords for authentication
> Understood.
>
> However, I'm not able to even consider converting the LDAP passwords
to
> clear text, for the same reason
> you gave. What did you mean by logging the passwords? What would that
do?
>
> I took a look at the example hook file: msisdn.hook, which came with
the
> distribution. It looks as though this pre-auth hook function is only
used to
> manipulate the radius data coming in from the NAS?
>
> Do you think it would be possible to compose a pre-auth hook to
decrypt the
> LDAP password before Radiater applies the CHAP hash? We have some
solid perl
> progammers onsite, and I wouldn't want to suggest an idea to them
unless you
> think it's possible.
>
> Thanks!
> Steve
>
> -----Original Message-----
> From: Mike McCauley [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, April 12, 2000 10:27 AM
> To: [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) Decrypting passwords for authentication
>
>
> This one didnt make it either:
>
> --- Forwarded mail from [EMAIL PROTECTED]
>
> Date: Wed, 12 Apr 2000 06:10:23 +1000
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: BOUNCE [EMAIL PROTECTED]: Non-member submission from
[Joost
> Stegeman <[EMAIL PROTECTED]>]
>
> >From owner-radiator Wed Apr 12 06:10:19 2000
> Received: (from uucp@localhost) by oscar.open.com.au (8.6.12/8.6.12)
id
> GAA26542 for [EMAIL PROTECTED]; Wed, 12 Apr 2000 06:10:19 +1000
> >Received: from tulpje.pcservice.mynet (4dyn166.dh.casema.net
> [212.64.4.166])
> by perki.connect.com.au with ESMTP id FAA05175
> (8.8.8/IDA-1.7 for <[EMAIL PROTECTED]>); Wed, 12 Apr 2000
05:57:22
> +1000
> (EST)
> Received: from tulpje.pcservice.mynet (4dyn166.dh.casema.net
[212.64.4.166])
> by
> perki.connect.com.au with ESMTP id FAA05175
> (8.8.8/IDA-1.7 for <[EMAIL PROTECTED]>); Wed, 12 Apr 2000
05:57:22
> +1000
> (EST)
> Received: from kpn.net (tulp.pcservice.mynet [192.168.1.10])
> by tulpje.pcservice.mynet (8.8.5/8.8.5) with ESMTP id VAA02949
> for <[EMAIL PROTECTED]>; Tue, 11 Apr 2000 21:55:42 +0200
> Message-ID: <[EMAIL PROTECTED]>
> Date: Tue, 11 Apr 2000 21:55:41 +0200
> From: Joost Stegeman <[EMAIL PROTECTED]>
> Organization: KPN
> X-Mailer: Mozilla 4.51 [en] (Win95; I)
> X-Accept-Language: en,nl
> MIME-Version: 1.0
> To: [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) Decrypting passwords for authentication
> References: <[EMAIL PROTECTED]>
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain; charset=us-ascii
> Content-Length: 1939
>
> Hi Stephen,
>
> "Felicetti, Stephen A." wrote:
> >
> > Hi there!
> >
> > I have a question about the way Radiater de-crypts the passwords
that are
> > held in my LDAP directory.
> > The passwords are stored in standard unix crypt format.
> > I'm using a Cisco NAS to request authentication for its dialin
peers.
> >
> > Here's my understanding of how things work. The end user via PAP
sends the
> > plaintext username/password to the NAS.
> > The NAS uses the radius secret to encrypt the password on the
internal
> > network on it's way to Radiater.
> > Radiater de-crypts the user password, and compares it to the
password
> > retrieved from LDAP.
>
> OK
>
> > I'm assuming that Radiater must first de-crypt the LDAP password
before
> the
> > comparison.
> > Is this correct?
>
> No, Radiator looks at the LDAP passwod and thinks: "Gee, this is a
> {crypt} password." Radiator crypts the password from the NAS and
> compares the two crypted passwords.
>
> >
> > Now here is why I ask.....I need to begin using CHAP on the NAS. I
> > understand that CHAP requires plaintext passwords in LDAP.
>
> correct, CHAP does need plaintext passwords.
>
> > If Radiater normally de-crypts the password prior to the comparison
(w/
> > PAP), then can't it de-crypt the LDAP password BEFORE applying the
CHAP
> > one-way hash? Thereby applying the hash to a plaintext password?
>
> As explained, it can't.
> You can try logging the passwords as they come by from the NAS
(pre-auth
> hook). You can then convert most of your LDAP passwd db to plaintext
> after a while.
>
> Many people think CHAP is safer than PAP, but if your plaintext
password
> db is hacked, all passwords are exposed.
>
> - Joost.
>
> >
> > Thanks alot!!!
> > Steve
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Stephen A. Felicetti Sr. Network Engineer
> > mailto:[EMAIL PROTECTED] Fox Chase Cancer Center
> > 215-728-2956 (v)
> > 215-728-2513 (f)
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
>
> ---End of forwarded mail from [EMAIL PROTECTED]
>
> --
> Mike McCauley [EMAIL PROTECTED]
> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++,
WWW
> 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
> Phone +61 3 9598-0985 Fax +61 3 9598-0955
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
> 2000, NT, MacOS X
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
