[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Using the various User-Password, Chap-Password, etc... with MySQL
From: "liran tal" <liransgarage () gmail ! com>
Date: 2007-07-30 15:55:16
Message-ID: 3ed55890707300855m30373fe0n9a7f705f958935ff () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hey, some updates...
Ok I've done some tests and thanks to Kegal I was able to move forward with
these
different 'scenarios'.
For having an encrypted password in the database what can be done is to give
the user the attribute Crypt-Password and set the Value to be
ENCRYPT('somepass') where
ENCRYPT() is a MySQL function.
Still has to figure out about MD5, SHA1 and CHAP.
Thanks so far,
Liran.
On 7/30/07, liran tal <liransgarage@gmail.com> wrote:
>
> Thanks Alan,
>
> I've read the manpage on rlm_pap.
> Regarding the User-Password attribute I understand that it is still
> support but we moved
> to using Cleartext-Password which is essentially the same.
>
> Regarding the other attributes like Crypt-Password or MD5-Password, the
> manpage says that
> these contain the crypted/md5 hashed form of the password. Does that mean
> that if I use
> those as the password attribute then in the database I'm supposed to use
> the MD5() function
> to encrypt the password I save there?
>
> This also brings me to another question, if I can encrypt like that a
> password in the database
> even for the Cleartext-Password (or the deprecated User-Password)
> attribute as the manpage
> also mentions that rlm_pap, if put last in the authorize section will try
> to decrypt the password.
>
>
> Do I understand this correctly?
>
>
> Regards,
> Liran.
>
>
> On 7/29/07, Alan DeKok <aland@deployingradius.com > wrote:
> >
> > liran tal wrote:
> > > I was wondering if someone can clearly explain the use of different
> > > Password attributes when they're used in a scenario where MySQL is
> > involved.
> >
> > The different password attributes have nothing to do with MySQL.
> >
> > Put a clear-text password in MySQL, and let the server deal with
> > different authentication protocols.
> >
> > > The basic case of User-Password is clear.
> > > When the attribute in the radcheck table is User-Password then it's
> > value is
> > > the password in clear text and the op is ==
> >
> > No. See the recent documentation in 1.1.5 and following. The
> > attribute is Cleartext-Password, and the operator is :=.
> >
> > > What about Cleartext-Password? I've added this attribute with op of :=
> > and
> > > value password in clear text and used radtest as a test, and it
> > results in
> > > just re-transmission of Access-Request queries, and basically not
> > working.
> >
> > See the FAQ for "it doesn't work". The FAQ, README, INSTALL, etc. all
> >
> > say to run the server in debugging mode.
> >
> > > What about Chap-Password, MD5-Password, SHA1-Password, what are their
> > > corresponding values and op like?
> >
> > Read the documentation in "man rlm_pap", as suggested in the README.
> >
> > Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
[Attachment #5 (text/html)]
Hey, some updates...<br><br>Ok I've done some tests and thanks to Kegal I was \
able to move forward with these<br>different 'scenarios'.<br><br>For having \
an encrypted password in the database what can be done is to give <br>the user the \
attribute Crypt-Password and set the Value to be ENCRYPT('somepass') \
where<br>ENCRYPT() is a MySQL function.<br><br>Still has to figure out about MD5, \
SHA1 and CHAP.<br><br><br>Thanks so far,<br>Liran. <br><br><br><div><span \
class="gmail_quote">On 7/30/07, <b class="gmail_sendername">liran tal</b> <<a \
href="mailto:liransgarage@gmail.com">liransgarage@gmail.com</a>> \
wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, \
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Thanks \
Alan,<br><br>I've read the manpage on rlm_pap.<br>Regarding the User-Password \
attribute I understand that it is still support but we moved<br>to using \
Cleartext-Password which is essentially the same.<br><br>Regarding the other \
attributes like Crypt-Password or MD5-Password, the manpage says that <br>these \
contain the crypted/md5 hashed form of the password. Does that mean that if I \
use<br>those as the password attribute then in the database I'm supposed to use \
the MD5() function<br>to encrypt the password I save there? <br><br>This also brings \
me to another question, if I can encrypt like that a password in the database<br>even \
for the Cleartext-Password (or the deprecated User-Password) attribute as the \
manpage<br>also mentions that rlm_pap, if put last in the authorize section will try \
to decrypt the password. <br><br><br>Do I understand this \
correctly?<br><br><br>Regards,<br><span class="sg">Liran.</span><div><span class="e" \
id="q_11417cc8d2bf5260_2"><br><br><br><div><span class="gmail_quote">On 7/29/07, <b \
class="gmail_sendername"> Alan DeKok</b> <<a \
href="mailto:aland@deployingradius.com" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">aland@deployingradius.com </a>> \
wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, \
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">liran tal wrote:<br>> I \
was wondering if someone can clearly explain the use of different <br>> Password \
attributes when they're used in a scenario where MySQL is \
involved.<br><br> The different password attributes have nothing to do \
with MySQL.<br><br> Put a clear-text password in MySQL, and let the server \
deal with <br>different authentication protocols.<br><br>> The basic case of \
User-Password is clear.<br>> When the attribute in the radcheck table is \
User-Password then it's value is<br>> the password in clear text and the op is \
== <br><br> No. See the recent documentation in 1.1.5 and \
following. The<br>attribute is Cleartext-Password, and the operator is \
:=.<br><br>> What about Cleartext-Password? I've added this attribute with op \
of := and <br>> value password in clear text and used radtest as a test, and it \
results in<br>> just re-transmission of Access-Request queries, and basically not \
working.<br><br> See the FAQ for "it doesn't \
work". The FAQ, README, INSTALL, etc. all <br>say to run the server \
in debugging mode.<br><br>> What about Chap-Password, MD5-Password, SHA1-Password, \
what are their<br>> corresponding values and op like?<br><br> Read the \
documentation in "man rlm_pap", as suggested in the README. \
<br><br> Alan DeKok.<br>-<br>List info/subscribe/unsubscribe? See <a \
href="http://www.freeradius.org/list/users.html" target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">http://www.freeradius.org/list/users.html \
</a><br></blockquote></div><br> </span></div></blockquote></div><br>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic