Re: LDAP and CHAP
On Fri, 16 Jul 2004, Daniel Eyholzer wrote: [EMAIL PROTECTED] wrote: What is the added benefit of something that is encrypted where the algorithm keys to decrypt are public knowlegde... There is no security there, just a false sense of the feeling. If the key to decrypt the password is only known by the host running the radius server and the host with the webfrontend, which permits to enter the passwords in the ldap server running on a separate host, then IMO it is an improvement in security, isn't it? Yes it is. A bigger improvement would be to just use authentication protocols which send encrypted passwords and don't require clear text passwords like MS-CHAP-v2 and ideally EAP-TTLS-EAP. Having LDAP ACIs on the symmetricaly encrypted password and keeping the symmetric key well hidden can provide some security. But: 1. These passwords will only be used by this specific application (dialup) and cannot be used for other services (where you need an LDAP BIND operation for user authentication). So you will eventually need to keep and synchronize two password attributes. 2. With symmetrical encryption the passwords are as secure as the key used to encrypt. If that key is easily guessable or is compromised then ALL your passwords are compromised. Whilst with one way encryption an attacker must compromise each user password separately. 3. If you go down that road you will soon find out that the symmetrical key will magically need to appear in various places, especially if you start basing more applications on these passwords. Each new service will require knowledge of the symmetrical key. In other words adding value will lower password security. It seems to me the whole mechanism is fundamentally flawed. Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and CHAP
Daniel Eyholzer wrote: Hi there Im using 1.0.0-pre3 to authenticate users with ldap as backend. In the LDAP-tree I have md5 passwords. When I configure the Network Access Server to use PAP it works fine, but with CHAP it does not work. I have read that CHAP can not be used with encryptet passwords in the database, is that true? Is there no chance in using CHAP with md5 passwords in the LDAP-tree? How can you get Radius to work with LDAP as far as I know... LDAP isn't working according to this post. From Paul Bender [EMAIL PROTECTED] (http://lists.cistron.nl/archives/freeradius-users/2004/05/frm00820.html), A bug report with both Red Hat (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126507) and FreeRADIUS (http://bugs.freeradius.org/show_bug.cgi?id=73). I would be most grateful for any comments! Regards, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html begin:vcard fn:Chan Min Wai n:Min Wai;Chan org:Optical Communication engineering Snd. Bhd. (151535-H);Information Technology adr:;;19, Jalan Semangat, ;Petaling Jaya;Selangor Darul Ehsan,;46200;Malaysia email;internet:[EMAIL PROTECTED] title:System Engineer tel;work:+603-7957 8730, 8567, 2418, 2422 tel;fax:+603-7957 0669 tel;cell:+6019-2242326 x-mozilla-html:FALSE url:http://www.ocesb.com.my version:2.1 end:vcard
RE: LDAP and CHAP
In short, yes you need a clear text password at the server end. You have two choices: a) store your passwords in your ldap database in clear test b) use a reversible encryption algorithm to store your passwords, and modify the rlm_ldap code to decrypt the user password as it pulls it out of ldap. Regards, Michael -Original Message- From: Daniel Eyholzer [mailto:[EMAIL PROTECTED] Sent: Thursday, 15 July 2004 5:13 PM To: [EMAIL PROTECTED] Subject: LDAP and CHAP Hi there Im using 1.0.0-pre3 to authenticate users with ldap as backend. In the LDAP-tree I have md5 passwords. When I configure the Network Access Server to use PAP it works fine, but with CHAP it does not work. I have read that CHAP can not be used with encryptet passwords in the database, is that true? Is there no chance in using CHAP with md5 passwords in the LDAP-tree? I would be most grateful for any comments! Regards, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and CHAP
Mitchell, Michael [EMAIL PROTECTED] wrote: In short, yes you need a clear text password at the server end. Okay. b) use a reversible encryption algorithm to store your passwords, and modify the rlm_ldap code to decrypt the user password as it pulls it out of ldap. This feature is not implemented yet? Thanks, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP and CHAP
b) use a reversible encryption algorithm to store your passwords, and modify the rlm_ldap code to decrypt the user password as it pulls it out of ldap. This feature is not implemented yet? Well its not a standard feature of freeRADIUS, and quite possibly shouldn't be, so probably never will be. ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and CHAP
Mitchell, Michael [EMAIL PROTECTED] wrote: Well its not a standard feature of freeRADIUS, and quite possibly shouldn't be, so probably never will be. ;-) Why isn't it a standard feature? Is there an obvious reason? Are you all storing your password in clear text in LDAP or whatever backend you use? Or are you just not using CHAP for authentication? Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP and CHAP
Why isn't it a standard feature? Is there an obvious reason? Are you all storing your password in clear text in LDAP or whatever backend you use? Or are you just not using CHAP for authentication? What is the added benefit of something that is encrypted where the algorithm keys to decrypt are public knowlegde... There is no security there, just a false sense of the feeling. Kind regards, Nico Baggus ING Securities Services Systems Management +31 20 - 7979577 - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP and CHAP
On Thu, 15 Jul 2004, Mitchell, Michael wrote: In short, yes you need a clear text password at the server end. You have two choices: a) store your passwords in your ldap database in clear test b) use a reversible encryption algorithm to store your passwords, and modify the rlm_ldap code to decrypt the user password as it pulls it out of ldap. You don't need to modify rlm_ldap, you can use an external program for that job. Regards, Michael -Original Message- From: Daniel Eyholzer [mailto:[EMAIL PROTECTED] Sent: Thursday, 15 July 2004 5:13 PM To: [EMAIL PROTECTED] Subject: LDAP and CHAP Hi there Im using 1.0.0-pre3 to authenticate users with ldap as backend. In the LDAP-tree I have md5 passwords. When I configure the Network Access Server to use PAP it works fine, but with CHAP it does not work. I have read that CHAP can not be used with encryptet passwords in the database, is that true? Is there no chance in using CHAP with md5 passwords in the LDAP-tree? I would be most grateful for any comments! Regards, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and CHAP
On Thu, Jul 15, 2004 at 03:07:44PM +0200, Oliver Graf wrote: On Thu, Jul 15, 2004 at 02:35:03PM +0200, Daniel Eyholzer wrote: Mitchell, Michael [EMAIL PROTECTED] wrote: Well its not a standard feature of freeRADIUS, and quite possibly shouldn't be, so probably never will be. ;-) Why isn't it a standard feature? Is there an obvious reason? Are you all storing your password in clear text in LDAP or whatever backend you use? Or are you just not using CHAP for authentication? I use such a thing for our mysql store. Just put the encrypted stuff in the database and change rad_ktk_decodepw in lib/radius.c to decrypt the password (I just check the length of the encryted password, cause this clearly identifies them in my case). I can give a more concrete example, but I won't expose my reversible crypt algorithm :) I could also provide a stub freeradius auth rlm as example. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and CHAP
Chan Min Wai (System Administrator) wrote: Daniel Eyholzer wrote: Hi there Im using 1.0.0-pre3 to authenticate users with ldap as backend. In the LDAP-tree I have md5 passwords. When I configure the Network Access Server to use PAP it works fine, but with CHAP it does not work. I have read that CHAP can not be used with encryptet passwords in the database, is that true? Is there no chance in using CHAP with md5 passwords in the LDAP-tree? How can you get Radius to work with LDAP as far as I know... LDAP isn't working according to this post. From Paul Bender [EMAIL PROTECTED] (http://lists.cistron.nl/archives/freeradius-users/2004/05/frm00820.html), A bug report with both Red Hat (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126507) and FreeRADIUS (http://bugs.freeradius.org/show_bug.cgi?id=73). This is only a problem for OpenLDAP library installations that are compiled against SASL2. Also, it is easy to patch in FreeRADIUS's rlm_ldap module so that it uses SASL2 instead of SASL. In fact, if you are running Fedora Core 2 (and maybe Fedora Core 1), you can download and compile the lastest FreeRADIUS RPM from http://download.fedora.redhat.com/pub/fedora/linux/core/development/SRPMS/. It has as patch that implements this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and CHAP
Daniel Eyholzer wrote: Mitchell, Michael [EMAIL PROTECTED] wrote: Well its not a standard feature of freeRADIUS, and quite possibly shouldn't be, so probably never will be. ;-) Why isn't it a standard feature? Is there an obvious reason? Are you all storing your password in clear text in LDAP or whatever backend you use? Or are you just not using CHAP for authentication? As was mentioned if a reversable algorithm is used, then it gives you a false sense of security. You can create the same level of security using the appropiate ACLs in the LDAP server. If you want to store hashed passwords and use a CHAP algorithm for authentication, then you might consider MS-CHAPv2, since you can store the hashed NT passwords in LDAP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html