(RADIATOR) Extended DES Password Support

Baron Fujimoto baron at lava.net
Fri Apr 22 18:25:25 CDT 2005


I've found a workaround for this and have included a patch below for
consideration.

One of my colleagues determined that that under FreeBSD (and possibly other
similar OS's) that if an application uses the crypt(3) function, it depends
on whether or not the libcrypt library (where crypt(3) is kept) was compiled
with the DES module or not.  By default, the library supports the traditional
password format and also MD5 passwords.  However, support for the DES
extended format and also support for Blowfish has to be compiled in
explicitly.  

The way we checked for this was as follows:

  $ nm /usr/lib/libcrypt.a | grep 'crypt-'
  crypt-blowfish.o:
  crypt-des.o:
  crypt-md5.o:

However, Radiator would still fail to decrypt this with the error
  Radius::AuthUNIX REJECT: Bad Encrypted password

I then noticed in the section 13.1.2 of the reference manual that, "Radiator
will assume it is a Unix crypt(3) password if it is 13 bytes long".

The BSD/OS DES extended format encrypted passwords were 20 bytes long, and
the crypt(3) man page from the BSD/OS system also stated the following:

  The crypt function performs password encryption.  It is derived from the
  NBS Data Encryption Standard.  Additional code has been added to deter
  key search attempts.  The first argument to crypt is a NUL-terminated
  string (normally a password typed by a user).  The second is a character
  array, 9 bytes in length, consisting of an underscore (``_'') followed by
  4 bytes of iteration count and 4 bytes of salt.  Both the iteration count
  and the salt are encoded with 6 bits per character, least significant
  bits first.  The values 0 to 63 are encoded by the characters ``./0-9A-
  Za-z'', respectively.

Using this information, I modified AuthGeneric.pm to successfully
authenticate using DES extended format passwords.

--- Radius/AuthGeneric.pm.orig  Wed Mar 16 18:58:27 2005
+++ Radius/AuthGeneric.pm       Fri Apr 22 13:15:02 2005
@@ -905,0 +906,7 @@
+            elsif ((length($pw) == 20) && ($pw =~ m:^_[./a-zA-Z\d]{4}:))
+            {
+                # DES Extended Format as used in BSD/OS (nee BSDI)
+                #   also uses crypt(3), as long as the libcrypt library was 
+                #   compiled with DES support.
+                $result = (crypt($submitted_pw, $pw) eq $pw);
+            }

Aloha,
Baron
-- 
Baron Fujimoto   |  LavaNet, Inc.


On Fri, 4 Mar 2005, Hugh Irvine wrote:

: All of the password formats that Radiator currently understands are listed in
: section 13.1.1 in the Radiator 3.11 reference manual ("doc/ref.html").
: 
: [...]
:
: On 3 Mar 2005, at 22:37, Derrin Chong wrote:
: 
: > Greetings,
: > 
: > Is there a way to authenticate users with passwords in extended
: > DES (_J9...) format that are not in the UNIX passwd file, i.e.,
: > using the AuthUNIX.pm module.
: > 
: > I'm trying to setup Radiator on FreeBSD 4.11 to authenticate against
: > a master.passwd file exported from another FreeBSD system.  The
: > exported passwd file has passwords that are in extended DES format
: > -- they were originally from a BSDI system.  I get a "Bad Encrypted
: > password" error when trying to authenticate.
: > 
: > However, if I change the password in the exported passwd file to
: > MD5 format I am able to authenticate successfully.
: > 
: > I have an entry in the radius.cfg as follows:
: > 
: > <Realm>
: >         <AuthBy UNIX>
: >                 Filename        /usr/local/etc/raddb/passwd
: >         </AuthBy>
: > 
: >         # Be more verbose with errors
: >         RejectHasReason
: > 
: >         # Log accounting to the detail file in LogDir
: >         AcctLogFileName %L/detail
: > </Realm>
: > 
: > When I attempt to authenticate against the extended DES password I
: > get the following:
: > 
: > Attributes:
: >         User-Name = "joebogus"
: >         User-Password = "<31>a<169><15><221><223><158><187>`<255><145>"
: >         NAS-IP-Address = 64.65.64.43
: >         NAS-Port = 20101
: >         NAS-Port-Type = Async
: >         State = ""
: >         Token = ""
: >         Calling-Station-Id = "8085233517"
: >         Called-Station-Id = "5666101"
: >         Acct-Session-Id = "357976393"
: > 
: > Tue Mar  1 10:57:33 2005: DEBUG: Handling request with Handler 'Realm='
: > Tue Mar  1 10:57:33 2005: DEBUG:  Deleting session for joebogus, 64.65.64.43, 20101
: > Tue Mar  1 10:57:33 2005: DEBUG: Handling with Radius::AuthUNIX:
: > Tue Mar  1 10:57:33 2005: DEBUG: Radius::AuthUNIX looks for match with joebogus
: > Tue Mar  1 10:57:33 2005: DEBUG: Radius::AuthUNIX REJECT: Bad Encrypted password
: > Tue Mar  1 10:57:33 2005: INFO: Access rejected for joebogus: Bad Encrypted password
: > Tue Mar  1 10:57:33 2005: DEBUG: Packet dump:
: > *** Sending to 64.65.64.43 port 1025 ....
: > Code:       Access-Reject

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list