(RADIATOR) MSCHAPv2 Authentication Bug
Terry Simons
galimore at mac.com
Wed Mar 5 00:10:56 CST 2003
Hmmm interesting...
At least now I understand why Panther was failing MSCHAPv2
authentications! ;-)
This isn't problematic for me, but at least I understand what's going
on now.
Thanks for your help Hugh.
- Terry
On Mar 4, 2004, at 10:55 PM, Hugh Irvine wrote:
>
> Hello Terry -
>
> Here is the comment block from the beginning of "Radius/MSCHAP.pm":
>
>
> # MSCHAP.pm
> # Implements MSCHAP algorithms as described in
> # draft-ietf-pppext-mschap-00.txt and RFC3079
> # Requires Digest-MD4-1.0 or better, available from CPAN and
> # ActiveState
> #
> # The basic algorithms and how they are used by MS
> #
> # PeerChallenge Username Password
> # | AuthChallenge | |
> # | | | |0-256
> # ------------ | |0-256 v
> # | | | ASCIIToUnicode
> # |16 |16 | |
> # | | | ------ 0-256
> # v v v v
> # MSCHAPV2--> GenerateNTResponse
> # | | | |
> # |16 |16 |0-256 |0-256
> # v v v |
> # ChallengeHash |
> # | |
> # |8 |
> # | |
> # v v
> # MSCHAP--> NtChallengeResponse
> # | |
> # |8 |0-256
> # | |
> # | NTPasswordHash
> # | |
> # ------- |16
> # | |
> # v v
> # ChallengeResponse
> # |
> # |24
> # v
> #
> # Author: Mike McCauley (mikem at open.com.au)
> #
> # This code is offered on the same terms as
> draft-ietf-pppext-mschap-00.txt
> # $Id: MSCHAP.pm,v 1.7 2003/12/23 22:40:17 mikem Exp $
>
>
> As you can see, you cannot really use a RewriteUsername because the
> algorithm uses the full username as entered by the user.
>
> In other words, you must match the same username string as is entered
> by the user.
>
> regards
>
> Hugh
>
>
> On 5 Mar 2003, at 16:43, Terry Simons wrote:
>
>> Hello,
>>
>> I have discovered a bug in Radiator that causes MSCHAPv2
>> authentications to fail in certain circumstances.
>>
>> I don't understand how MSCHAPv2 actually hashes, but based on the way
>> the bug manifests itself, here is what I *believe* may be happening:
>>
>> When using a handler that distinguishes by Realm, if the
>> authentication needs to be done against a stripped username the
>> authentication will fail.
>>
>> For instance...
>>
>> If the user terry at library.utah.edu authenticates, but the users file
>> only contains the name "terry", the authentication fails for me, even
>> though I strip the realm.
>>
>> Does MSCHAPv2 use the username to hash against? If so, I believe
>> that Radiator may be using the unstripped name to hash against, when
>> it should be using the stripped name, if one exists (since there
>> would be no reason to strip the name, unless it is required to
>> sucessfully authenticate, I think...)
>>
>> Does that make any sense whatsoever? 8-)
>>
>> If not, maybe my traces and configurations can help ;-)
>>
>> I've included my user file, a "broken" configuration, a "working"
>> configuration, and the output (trace 4) of both configurations from
>> my tests.
>>
>> For the broken configuration, I used a fully-qualified username
>> during authentication. For the working configuration I did not use a
>> fully qualified name... (So: terry at library.utah.edu for the broken
>> authentication, terry for the working authentication).
>>
>>
>> <RADIATOR_MSCHAPv2_BUG.tar.gz>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list