[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-devel
Subject:    Re: LDAP and CHAP
From:       Russell Coker <russell () coker ! com ! au>
Date:       2001-11-29 14:49:00
[Download RAW message or body]

On Wed, 28 Nov 2001 17:03, Kostas Kalevras wrote:
> > I was wondering if there's currently a way to use encrypted (but
> > decryptable) passwords in LDAP so users can be authenticated with CHAP. 
> > You could use, for example, a key to encrypt the plaintext passwords and
> > put them in LDAP and have freeradius use the same key to decrypt them
> > again.
>
> It is something that I really wanted to add to rlm_ldap. The only problem
> was that no one asked for such a feature. It seems that things have
> changed, so I 'll go on and add it. Anyone with a good idea for a symetric
> password encryption? I would think XOR with a >16 bytes encryption key
> should do just fine. From what I can remember XOR only has problems when
> the encryption key is smaller than the clear text message (but i may be
> wrong).

Why not use the same encryption method (shared secret and MD5) as used for 
communication between RADIUS server and client?

After all if the attacked can compromise one of these channels then they can 
probably crack the other just as easily.

-- 
http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

[prev in list] [next in list] [prev in thread] [next in thread]