LDAP backend and Password Encryption

Discussion:

Phillip Heller

2008-08-18 14:10:05 UTC

Hello,

Relatively new to both freeradius and ldap here.

I'm using the Centos Directory Server, which defaults to SSHA
encryption on the userPassword attribute.

I'm using freeradius to authenticate unix logins (via
pam_radius_auth), VPN (cisco asa) logins, and router/switch vty logins.

freeradius verifies existence of the user in various ldap groups, and
based upon that logic, either proxies off to a cryptocard server for
one-time-password authentication, or authenticates directly against
the userPassword attribute value.

It would seem that freeradius does not authenticate against SSHA. I
did try a few other encryption policies (crypt, md5) and set the
password_header value appropriately.

This is with version 2.0.5.

Any help would be greatly appreciated!

Regards,

Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

2008-08-18 14:41:46 UTC

Permalink

I'm using the Centos Directory Server, which defaults to SSHA encryption
on the userPassword attribute.

That should work.

It would seem that freeradius does not authenticate against SSHA. I did
try a few other encryption policies (crypt, md5) and set the
password_header value appropriately.

In the LDAP module? That configuration is deprecated, and isn't even
documented in 2.0.5.

What is the output of debugging mode?

If the contents of the "userPassword" field are just the SSHA hash,
you will have to tell the FreeRADIUS that the field is the SSHA hash.
Otherwise, it has no idea.

In general, it's best to use the {ssha} header in the userPassword
field. The LDAP server should handle it fine, and FreeRADIUS will use
it to Just Do the Right Thing.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Phillip Heller

2008-08-18 15:58:20 UTC

Permalink

Post by Alan DeKok
In the LDAP module? That configuration is deprecated, and isn't even
documented in 2.0.5.

Ok, I've removed that configuration bit.

Post by Alan DeKok
What is the output of debugging mode?

rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap:389, authentication 0
rlm_ldap: bind as uid=CRYPTOCARD,dc=somedomain,dc=com/somepassword to
ldap:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=somedomain,dc=com, with filter
(uid=test)
rlm_ldap: Added User-Password =
{SSHA}aZj99e5gRcpUEv26zXq7VvTa2apMdKBY44sVyg== in check items
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++++[people] returns ok
+++- elsif (group-Ldap-Group ==
"cn=mgmtro,ou=groups,dc=somedomain,dc=com") returns ok
+++ ... skipping elsif for request 0: Preceding "if" was taken
++- elsif (group-Ldap-Group ==
"cn=nocryptocard,ou=groups,dc=somedomain,dc=com") returns ok
++ ... skipping else for request 0: Preceding "if" was taken
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-
Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known
good" !!!
!!! clear text password is in Cleartext-Password, and not in User-
Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.

Hopefully this helps.

--phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

2008-08-18 16:03:50 UTC

Permalink

Post by Phillip Heller
rlm_ldap: Added User-Password =
{SSHA}aZj99e5gRcpUEv26zXq7VvTa2apMdKBY44sVyg== in check items

That should work....

Post by Phillip Heller
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with
Cleartext-Password. !!!

You've *deleted* the "pap" entry from the "authorize" section. It
should be the last entry in that section.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Phillip Heller

2008-08-18 16:24:18 UTC

Permalink

Post by Alan DeKok

Post by Phillip Heller
rlm_ldap: Added User-Password =
{SSHA}aZj99e5gRcpUEv26zXq7VvTa2apMdKBY44sVyg== in check items

That should work....

Post by Phillip Heller
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with
Cleartext-Password. !!!

You've *deleted* the "pap" entry from the "authorize" section. It
should be the last entry in that section.

Ok, I added that in, but now:

rad_check_password: Found Auth-Type
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-
Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known
good" !!!
!!! clear text password is in Cleartext-Password, and not in User-
Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "fnord"
rlm_pap: Using clear text password
"{SSHA}uNexfodOuLt4WaJuzKvMOaDDm8s7kapAdFEVYw=="
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.

--phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

2008-08-18 16:32:02 UTC

Permalink

You've been posting tiny pieces of the debug output. The whole debug
output includes things like the configuration for the PAP module.

Post by Phillip Heller
rlm_pap: login attempt with password "fnord"
rlm_pap: Using clear text password
"{SSHA}uNexfodOuLt4WaJuzKvMOaDDm8s7kapAdFEVYw=="

What is the configuration for the PAP module? You should set
"auto_header = yes".

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Phillip Heller

2008-08-18 17:10:12 UTC

Permalink

Post by Alan DeKok
You've been posting tiny pieces of the debug output. The whole debug
output includes things like the configuration for the PAP module.

Sorry about that, in looking at the debugging output myself, I did not
see any PAP module configuration. However, adding it to the
instantiate section solved that.

Post by Alan DeKok

Post by Phillip Heller
rlm_pap: login attempt with password "fnord"
rlm_pap: Using clear text password
"{SSHA}uNexfodOuLt4WaJuzKvMOaDDm8s7kapAdFEVYw=="

What is the configuration for the PAP module? You should set
"auto_header = yes".

Configuration was just:

pap {
encryption_scheme = auto
}

Adding "auto_header = yes" solved the problem, all is working now,
thanks!

--phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Continue reading on narkive:

Search results for 'LDAP backend and Password Encryption' (Questions and Answers)

replies

what is the strongest encryption i can use for wifi?

started 2011-01-01 18:31:29 UTC

computer networking

replies

Required Java syllabus?

started 2007-07-25 22:08:10 UTC

programming & design