Phillip Ames
2004-01-07 00:24:35 UTC
Hi everybody,
I've been poring over the FAQ, archives, config files, and Google for quite
some time and have yet to uncover an answer to my problem (which I would
_think_ is quite common so I have a feeling I'm missing a glaringly obvious
fact). Anyway, to the point:
I have been able to get Free Radius to authenticate from a router using
CHAP. The problem with this is that the passwords are stored in plain text
in the users file on the authentication server. I don't want to use a mySQL
database or LDAP server. I don't mind if the passwords are transmitted in
plaintext (or encrypted with the secret key) over the network, but I'd like
to have them encrypted on the server in whatever file they are stored in.
Therefore, it seems that PAP is the way to go. So, this seems to be my
solution:
1. It seems that the authentication method is chosen by the client(in this
case the router) - please correct me if I am wrong on this assumption.
2. I don't want to use CHAP, so I have to configure my router to use PAP.
3. How do I set up PAP for the Free Radius server?
I understand that PAP authentication is built in to the server via the
rlm_pap module, but where does PAP authentication get its information from?
(as in, where are the user names? Where are the passwords? Does it use the
values from /etc/passwd?)
I'd also rather not add an account to my /etc/passwd file for all the users
who need to authenticate with this system, so I looked at the rlm_passwd
module. It seems like this might be a better route if I use the "authtype =
crypt" config line to make sure the passwords are crypted. Would the
following be the correct way of setting up that type of configuration?
passwd etc_raddb_mypasswdfile {
filename = ${raddbdir}/mypasswdfile
format = "*User-Name::Password"
authtype = crypt
}
The only stumbling block left after that would be figuring out how to crypt
the passwords for those users (I'm open for suggestions of
functions/languages to do this in). From what I understand it wouldn't
matter what salt would be used to crypt those passwords (again, correct me
if I'm wrong) because crypt would return the same password when original was
crypted against the value stored in the password file.
Sorry for the length, I'm just trying to make sure I'm being clear about
what my thought process is so it can be corrected if in error. Thanks in
advance for any help, and if you're going to refer me to the FAQ please at
least point me in a direction (i.e. a section number or keyword).
-Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've been poring over the FAQ, archives, config files, and Google for quite
some time and have yet to uncover an answer to my problem (which I would
_think_ is quite common so I have a feeling I'm missing a glaringly obvious
fact). Anyway, to the point:
I have been able to get Free Radius to authenticate from a router using
CHAP. The problem with this is that the passwords are stored in plain text
in the users file on the authentication server. I don't want to use a mySQL
database or LDAP server. I don't mind if the passwords are transmitted in
plaintext (or encrypted with the secret key) over the network, but I'd like
to have them encrypted on the server in whatever file they are stored in.
Therefore, it seems that PAP is the way to go. So, this seems to be my
solution:
1. It seems that the authentication method is chosen by the client(in this
case the router) - please correct me if I am wrong on this assumption.
2. I don't want to use CHAP, so I have to configure my router to use PAP.
3. How do I set up PAP for the Free Radius server?
I understand that PAP authentication is built in to the server via the
rlm_pap module, but where does PAP authentication get its information from?
(as in, where are the user names? Where are the passwords? Does it use the
values from /etc/passwd?)
I'd also rather not add an account to my /etc/passwd file for all the users
who need to authenticate with this system, so I looked at the rlm_passwd
module. It seems like this might be a better route if I use the "authtype =
crypt" config line to make sure the passwords are crypted. Would the
following be the correct way of setting up that type of configuration?
passwd etc_raddb_mypasswdfile {
filename = ${raddbdir}/mypasswdfile
format = "*User-Name::Password"
authtype = crypt
}
The only stumbling block left after that would be figuring out how to crypt
the passwords for those users (I'm open for suggestions of
functions/languages to do this in). From what I understand it wouldn't
matter what salt would be used to crypt those passwords (again, correct me
if I'm wrong) because crypt would return the same password when original was
crypted against the value stored in the password file.
Sorry for the length, I'm just trying to make sure I'm being clear about
what my thought process is so it can be corrected if in error. Thanks in
advance for any help, and if you're going to refer me to the FAQ please at
least point me in a direction (i.e. a section number or keyword).
-Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html