[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Best/simplest authentication method to validate an encrypted user/password against encrypted kno
From: Alan DeKok <aland () deployingradius ! com>
Date: 2020-04-29 22:02:44
Message-ID: 86D9B48A-0703-4965-ABE3-C13A01F67D0D () deployingradius ! com
[Download RAW message or body]
On Apr 29, 2020, at 5:03 PM, Gleb Lisikh <in4bit.general@gmail.com> wrote:
> I'd like to be able to authenticate a user by comparing password provided
> with the client's authentication request with what's in a password store.
> It can be easily done by Clear-Text password, of course, but I cannot have
> a known good password in that password store in Clear-Text form - only
> encrypted (doesn't really matter how).
It does matter how. FreeRADIUS has to understand the encrypted form in order to \
authenticate the user.
> So ideally, i'd like to get an encrypted password string from a client, and
> compare it with an encrypted password string retrieved from the known good
> password store.
RADIUS doesn't work that way.
You can get the clear-text password from the user. It's in the User-Password \
attribute. You can get the encrypted password from a database such as SQL or LDAP. \
The "pap" module will then compare the two.
> The retrieval of the known good password is done in the
> python module. And I'd rather not use SQL instead for the Python.
The python module should just hand the encrypted password to FreeRADIUS, and let \
FreeRADIUS do the work.
See mods-available/pap for documentation on what encrypted formats are supported.
> EAP methods encrypt the whole message using the user passwords as a key (as
> far as I understand it), which complicates the matter...
No. EAP methods do something rather more complex, like TLS.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic