[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Best/simplest authentication method to validate an encrypted user/password against encrypted kno
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2020-04-29 22:02:44
Message-ID: 86D9B48A-0703-4965-ABE3-C13A01F67D0D () deployingradius ! com
[Download RAW message or body]

On Apr 29, 2020, at 5:03 PM, Gleb Lisikh <in4bit.general@gmail.com> wrote:
> I'd like to be able to authenticate a user by comparing password provided
> with the client's authentication request with what's in a password store.
> It can be easily done by Clear-Text password, of course, but I cannot have
> a known good password in that password store in Clear-Text form - only
> encrypted (doesn't really matter how).

  It does matter how.  FreeRADIUS has to understand the encrypted form in order to \
authenticate the user.

> So ideally, i'd like to get an encrypted password string from a client, and
> compare it with an encrypted password string retrieved from the known good
> password store.

  RADIUS doesn't work that way.

  You can get the clear-text password from the user.  It's in the User-Password \
attribute.  You can get the encrypted password from a database such as SQL or LDAP.  \
The "pap" module will then compare the two.

> The retrieval of the known good password is done in the
> python module. And I'd rather not use SQL instead for the Python.

  The python module should just hand the encrypted password to FreeRADIUS, and let \
FreeRADIUS do the work.

  See mods-available/pap for documentation on what encrypted formats are supported.

> EAP methods encrypt the whole message using the user passwords as a key (as
> far as I understand it), which complicates the matter...

  No.  EAP methods do something rather more complex, like TLS.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]