(RADIATOR) CHAP

Wed May 16 09:12:32 CDT 2001

El 16 May 2001, a las 9:08, Ingvar Berg (EIP) escribió:

> Or rather: you have to be able to decrypt them in Radiator, before
> using them. I'm not sure if you can do this with a hook, or if you
> need to hack the basic code in Radiator (i.e. persuade Mike or Hugh to
> do some fun coding...) 
or DIY :-)... but the point here is that most of the encryption schemes 
used for storing passwords are one way hash fucntions (one way beeing the 
key point here).

You can't (without a considerable computational effort far beyond an 
authentication server) get the original password from the encrypted one.

If you were to use a two way encryption scheme, it would have to encrypt 
and decrypt with the same key (if it uses a symmetric algorithm like DES, 
DES3, or the like) or encrypt with one key and decrypt with another, both 
generated as a pair (conventionally, one is supposed to be public and the 
other private).

The point is that this way, you should put the (master) decryption key 
"open" in the radiator config file, so you just moved the weak point to 
another place.

Now, if you, for instance, keep the passwords in a public open database 
(or LDAP tree or whatever) where anyone can see it and you can keep you 
radiator configuration file really secure (i.e. mode 400 root owned 
inside a mode 500 root owned directory and a really controlled set of 
trustable people knowing the root password), you (or Mike) could do it.

> 
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: den 15 maj 2001 02:54
> To: Anton Krall; radiator at open.com.au
> Subject: Re: (RADIATOR) CHAP
> 
> 
> 
> Hello Anton -
> 
> You cannot use CHAP authentication with with encrypted passwords in your 
> database. If you want to use encrypted passwords in the database, you will 
> have to use PAP authentication. If you want to use CHAP authentication you 
> will have to use plaintext passwords in the database.
> 
> hth
> 
> Hugh
> 
> On Tuesday 15 May 2001 08:51, Anton Krall wrote:
> > Guys.
> >
> > Im getting this error when trying to autenticate with CHAP:
> >
> > Mon May 14 17:47:54 2001: DEBUG: Rewrote user name to akrall at mx.inter.net
> > Mon May 14 17:47:54 2001: DEBUG: Rewrote user name to akrall at mx.inter.net
> > Mon May 14 17:47:54 2001: DEBUG: Handling request with Handler
> > 'Realm=mx.inter.net' Mon May 14 17:47:54 2001: DEBUG: Rewrote user name to
> > akrall
> > Mon May 14 17:47:54 2001: DEBUG: SDBSQLdialup Deleting session for
> > akrall at mx.inter.net, 10.0.0.0, 1234 Mon May 14 17:47:54 2001: DEBUG: do
> > query is: delete from RADONLINE where NASIDENTIFIER='10.0.0.0' and
> > NASPORT=01234
> >
> > Mon May 14 17:47:54 2001: DEBUG: Handling with Radius::AuthSQL
> > Mon May 14 17:47:54 2001: DEBUG: Handling with Radius::AuthDBFILE
> > Mon May 14 17:47:54 2001: DEBUG: Radius::AuthDBFILE looks for match with
> > akrall Mon May 14 17:47:54 2001: WARNING: Cant use encrypted passwords with
> > CHAP Mon May 14 17:47:54 2001: DEBUG: Radius::AuthDBFILE REJECT: Bad
> > Encrypted password Mon May 14 17:47:54 2001: DEBUG: Handling with
> > Radius::AuthDBFILE
> > Mon May 14 17:47:54 2001: DEBUG: Radius::AuthDBFILE looks for match with
> > akrall Mon May 14 17:47:54 2001: INFO: Access rejected for akrall: No such
> > user Mon May 14 17:47:54 2001: DEBUG: Packet dump:
> >
> > My password are like this:
> >
> > user [crypt]HAFJSGFD
> >
> > Whatst he matter?
> >
> > Saludos
> >
> > Anton Krall
> > Director de Tecnologia
> > Inter.net Mexico
> > (www.mx.inter.net)
> > Email: akrall at team.inter.net
> > Directo: 5-241-7609
> > Conmutador: 5-241-7600
> > Mobile: 044-5105-5160
> >
> > Outside Mexico:
> > Office: (525)241-7609
> > PBX: (525)241-7600
> > Mobile: (525)105-5160
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

Mariano Absatz
El Baby
----------------------------------------------------------
Don't worry. I forgot your name, too!

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.