[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Users' passwords in SQL
From:       Alan DeKok <aland () striker ! ottawa ! on ! ca>
Date:       2001-03-28 16:43:26
[Download RAW message or body]

Yury Bokhoncovich <byg@center-f1.ru> wrote:
> There request->password->strvalue is assumed as a plain-text password but
> I consider pretty unreasonable to have plain-text in a password database

  Please read the FAQ on this point.

http://www.freeradius.org/faq/freeradius.html#4.4

> so I have encrypted all passwords in the DB before.

  Then you can't do CHAP authentication.

> So, I have done the following patch:
>         if (strncmp(crypt(request->password->strvalue, row[0]), row[0],
> request->password->length) != 0) {

  You're welcome to make any changes you want to the source.

> But I don't sure this is generally right. Maybe we'd have two tuples in
> the DB per a user: one having attribute='password' (it contains valid
> encrypted or plain-text password) and another having attribute='Auth-Type'
> (it contains various values alike 'Crypt-Local' and so on) ?

  You wouldn't want to have 'Auth-Type'.  You'd want to have an
attribute 'Password', and another 'Crypt-Password'.  The standard
dictionary file already has these attributes defined.

  Alan DeKok.


[prev in list] [next in list] [prev in thread] [next in thread]