subject:"EAP\-TTLS \+ Post\-auth clear password"

Re: Res: Res: EAP-TTLS + Post-auth clear password

2007-03-23 Thread Alan DeKok

Erico Augusto wrote:
 as suggested, I'm working with exec module.
 radiusd.conf:
 ...
 exec {
 post-auth:User-Password =
 `%{exec:/usr/local/etc/raddb/jradius.forward}`
 wait = yes
 input_pairs = request
 }
 ...
 the content of /usr/local/etc/raddb/jradius.forward script is just:
 #!/bin/bash
 echo 123456
 
 so, the user's password that I'm using is 123456(inserted at secureW2
 Windows XP popup), but I'm yet receiving ciphered User-Password at
 destination custom app...

  All I can say is huh?  You want to use a custom app, and you
solution is to write a shell script that does... nothing?

  Perhaps you could explain how the custom app *currently* interacts
with FreeRADIUS.  From the examples you've posted, it doesn't.

  My suggestion was to write a program that would send the username 
password to the custom app.  See the documentation for how to see the
username  password in a shell script run by rlm_exec.

 I have changing the content of jradius.forward script to
 #!/bin/bash
 echo 123456789
 
 just to see if the password sended is the one returned by
 jradius.forward script,

  What makes you think that the shell script changes the password?
Nothing in the documentation or examples would lead you to believe that
simple echoing a number would have the magic side-effect of changing the
password.

 some idea about what is wrong?

  The configurations you've shown don't match the documentation.  i.e.
You think they do one thing, but the documentation says they do
something else.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Res: Res: Res: EAP-TTLS + Post-auth clear password

2007-03-23 Thread Erico Augusto

- Mensagem original 
De: Alan DeKok [EMAIL PROTECTED]
Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Enviadas: Sexta-feira, 23 de Março de 2007 3:54:41
Assunto: Re: Res: Res: EAP-TTLS + Post-auth clear password

Erico Augusto wrote:
  All I can say is huh?  You want to use a custom app, and you
solution is to write a shell script that does... nothing?
sure not!

  Perhaps you could explain how the custom app *currently* interacts
 with FreeRADIUS.  From the examples you've posted, it doesn't.
it's called learning ...

 My suggestion was to write a program that would send the username 
 password to the custom app.  See the documentation for how to see the
username  password in a shell script run by rlm_exec.
that's what I'm looking for ... constructive suggestions ...

  What makes you think that the shell script changes the password?
Nothing in the documentation or examples would lead you to believe that
simple echoing a number would have the magic side-effect of changing the
password.
just learning how the tool works...

  The configurations you've shown don't match the documentation.  i.e.
You think they do one thing, but the documentation says they do
something else.
The interaction with JRadius now works ... it wasn't an issue with freeradius 
... JRadius API was outputing 
[Encrypted String] to the password ... in truth, it's just in ASCII ... a 
simple casting fix everything.

So, to get cleartext password with WinXP SecureW2(EAP-TTLS) Supplicant 
configured to  PAP at Authentication Tab, using JRadius API, just gather 
password bytes as following:
byte [] passByte = requestPacket.getAttributes().get(Attr_UserPassword.NAME). 
getValue().getBytes();
where  requestPacket is a RadiusPacket object.

Erico.

--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






__
Fale com seus amigos  de graça com o novo Yahoo! Messenger 
http://br.messenger.yahoo.com/ - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Res: EAP-TTLS + Post-auth clear password

2007-03-22 Thread Alan DeKok

Erico Augusto wrote:

 I'm trying to forward username and password to my own app, using
 post-auth section, to perform user authentication, as described below
 ... is that possible?

 Yes.  See the exec module.  Why do you think the pap module has
anything to do with it?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Res: Res: EAP-TTLS + Post-auth clear password

2007-03-22 Thread Erico Augusto

Hi,
as suggested, I'm working with exec module.
radiusd.conf:
...
exec {
post-auth:User-Password = 
`%{exec:/usr/local/etc/raddb/jradius.forward}`
wait = yes
input_pairs = request
}
...
the content of /usr/local/etc/raddb/jradius.forward script is just:
#!/bin/bash
echo 123456

so, the user's password that I'm using is 123456(inserted at secureW2 Windows 
XP popup), but I'm yet receiving ciphered User-Password at destination custom 
app...

I have changing the content of jradius.forward script to
#!/bin/bash

echo 123456789

just to see if the password sended is the one returned by jradius.forward 
script, but all entries at radiusd -X shows:
...
Processing the post-auth section of radiusd.conf
...
rlm_jradius: packing attribute User-Password (type: 2; len: 6)
...

Conclusion: the User-Password attribute is not been changed by the external 
script, once the length should be 9 ...

some idea about what is wrong?

one more point: I'm setting user's password at etc/raddb/users file (it mey be 
a problem, i mean ... does it fixing the password?).

thanks a lot, 

Erico.


- Mensagem original 
De: Alan DeKok [EMAIL PROTECTED]
Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Enviadas: Quinta-feira, 22 de Março de 2007 5:29:24
Assunto: Re: Res: EAP-TTLS + Post-auth clear password

Erico Augusto wrote:

 I'm trying to forward username and password to my own app, using
 post-auth section, to perform user authentication, as described below
 ... is that possible?

 Yes.  See the exec module.  Why do you think the pap module has
anything to do with it?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






__
Fale com seus amigos  de graça com o novo Yahoo! Messenger 
http://br.messenger.yahoo.com/ - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TTLS + Post-auth clear password

2007-03-21 Thread Erico Augusto

Hi,

I would like to send clear-text password at post-auth using eap-ttls. is there 
a way?
I'm avoiding to write a lot of details about the question. Just using post-auth 
I got to send User-password attribute, but it's cyphered at destination(Yes, 
there is all the TLS tunneling stuff, but I'm trying to see the problem at a 
simpler-unknown perspective).

I'm using SecureW2 as supplicant(PAP), freeradius-1.1.2+jradius patch.

Thanks a lot.

Erico.


- Mensagem original 
De: Nick Owen [EMAIL PROTECTED]
Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Enviadas: Quarta-feira, 21 de Março de 2007 16:45:43
Assunto: Re: Apache2 - PAM - freeRADIUS - users

On 3/21/07, Helmut Tröbs [EMAIL PROTECTED] wrote:
 Hello Michael,

 
   freeRADIUS works quite good and it's possible to authenticate via PAM,
  for example local logins, ssh-logins, su, chsh, gdm, ... are working
  quite fine.
 
  The only thing is the htaccess from apache2 which will not work. The
  Radius gets the request and permits the user:
 
I would suggest finding out why Apache is requiring more from PAM than
  everyone else does.  It's not really a pam_radius problem, because it
  works with everything else.
 


 we had similar problems with radius and Apache2 (it is not a RADIUS/PAM
 problem!) PAM didn't work for us neither, so a colleague found another
 radius module for Apache 2:

 http://www.outoforder.cc/projects/apache/mod_auth_xradius/

 But it only works with Apache 2.0.x. With Apache 2.2.x we didn't manage
 to get any radius authentication working.

I got apache - radius working with mod_auth_xradius with apache-2.2.2 on FC6.

a very basic how-to is here:
http://www.howtoforge.com/apache_radius_two_factor_authentication

hth.

nick

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor
Now open source: http://sourceforge.net/projects/wikid-twofactor/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






__
Fale com seus amigos  de graça com o novo Yahoo! Messenger 
http://br.messenger.yahoo.com/ - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TTLS + Post-auth clear password

2007-03-21 Thread joe vieira

Erico Augusto wrote:
 Hi,

 I would like to send clear-text password at post-auth using eap-ttls. 
 is there a way?
 I'm avoiding to write a lot of details about the question. Just using 
 post-auth I got to send User-password attribute, but it's cyphered at 
 destination(Yes, there is all the TLS tunneling stuff, but I'm trying 
 to see the problem at a simpler-unknown perspective).

i think by default pap is an md5 hash, you should be able to change that 
tho in the radiusd.conf (altho i could be totally insane.) in 1.1.4+ 
this looks to have changed to be auto negotiated.  other people will 
know better than me but, i think this is accurate.

Joe
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Res: EAP-TTLS + Post-auth clear password

2007-03-21 Thread Erico Augusto

thanks joe,

my pap's modules section is already as follows:
pap {
 encryption_scheme = clear
}
I'm trying to forward username and password to my own app, using post-auth 
section, to perform user authentication, as described below ... is that 
possible?

Erico.

- Mensagem original 
De: joe vieira [EMAIL PROTECTED]
Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Enviadas: Quarta-feira, 21 de Março de 2007 17:17:18
Assunto: Re: EAP-TTLS + Post-auth clear password

Erico Augusto wrote:
 Hi,

 I would like to send clear-text password at post-auth using eap-ttls. 
 is there a way?
 I'm avoiding to write a lot of details about the question. Just using 
 post-auth I got to send User-password attribute, but it's cyphered at 
 destination(Yes, there is all the TLS tunneling stuff, but I'm trying 
 to see the problem at a simpler-unknown perspective).
 I'm using SecureW2 as supplicant(PAP), freeradius-1.1.2+jradius patch.
i think by default pap is an md5 hash, you should be able to change that 
tho in the radiusd.conf (altho i could be totally insane.) in 1.1.4+ 
this looks to have changed to be auto negotiated.  other people will 
know better than me but, i think this is accurate.

Joe
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






__
Fale com seus amigos  de graça com o novo Yahoo! Messenger 
http://br.messenger.yahoo.com/ - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Res: Res: EAP-TTLS + Post-auth clear password

Res: Res: Res: EAP-TTLS + Post-auth clear password

Re: Res: EAP-TTLS + Post-auth clear password

Res: Res: EAP-TTLS + Post-auth clear password

EAP-TTLS + Post-auth clear password

Re: EAP-TTLS + Post-auth clear password

Res: EAP-TTLS + Post-auth clear password

7 matches

Site Navigation

Mail list logo

Footer information