(RADIATOR) Extended DES Password Support
Hugh Irvine
hugh at open.com.au
Sat Apr 23 04:21:04 CDT 2005
Hello -
Many thanks for your contribution.
Mike will look at this early next week.
regards
Hugh
On 23 Apr 2005, at 09:25, Baron Fujimoto wrote:
> I've found a workaround for this and have included a patch below for
> consideration.
>
> One of my colleagues determined that that under FreeBSD (and possibly
> other
> similar OS's) that if an application uses the crypt(3) function, it
> depends
> on whether or not the libcrypt library (where crypt(3) is kept) was
> compiled
> with the DES module or not. By default, the library supports the
> traditional
> password format and also MD5 passwords. However, support for the DES
> extended format and also support for Blowfish has to be compiled in
> explicitly.
>
> The way we checked for this was as follows:
>
> $ nm /usr/lib/libcrypt.a | grep 'crypt-'
> crypt-blowfish.o:
> crypt-des.o:
> crypt-md5.o:
>
> However, Radiator would still fail to decrypt this with the error
> Radius::AuthUNIX REJECT: Bad Encrypted password
>
> I then noticed in the section 13.1.2 of the reference manual that,
> "Radiator
> will assume it is a Unix crypt(3) password if it is 13 bytes long".
>
> The BSD/OS DES extended format encrypted passwords were 20 bytes long,
> and
> the crypt(3) man page from the BSD/OS system also stated the following:
>
> The crypt function performs password encryption. It is derived from
> the
> NBS Data Encryption Standard. Additional code has been added to
> deter
> key search attempts. The first argument to crypt is a NUL-terminated
> string (normally a password typed by a user). The second is a
> character
> array, 9 bytes in length, consisting of an underscore (``_'')
> followed by
> 4 bytes of iteration count and 4 bytes of salt. Both the iteration
> count
> and the salt are encoded with 6 bits per character, least significant
> bits first. The values 0 to 63 are encoded by the characters
> ``./0-9A-
> Za-z'', respectively.
>
> Using this information, I modified AuthGeneric.pm to successfully
> authenticate using DES extended format passwords.
>
> --- Radius/AuthGeneric.pm.orig Wed Mar 16 18:58:27 2005
> +++ Radius/AuthGeneric.pm Fri Apr 22 13:15:02 2005
> @@ -905,0 +906,7 @@
> + elsif ((length($pw) == 20) && ($pw =~
> m:^_[./a-zA-Z\d]{4}:))
> + {
> + # DES Extended Format as used in BSD/OS (nee BSDI)
> + # also uses crypt(3), as long as the libcrypt
> library was
> + # compiled with DES support.
> + $result = (crypt($submitted_pw, $pw) eq $pw);
> + }
>
> Aloha,
> Baron
> --
> Baron Fujimoto | LavaNet, Inc.
>
>
> On Fri, 4 Mar 2005, Hugh Irvine wrote:
>
> : All of the password formats that Radiator currently understands are
> listed in
> : section 13.1.1 in the Radiator 3.11 reference manual
> ("doc/ref.html").
> :
> : [...]
> :
> : On 3 Mar 2005, at 22:37, Derrin Chong wrote:
> :
> : > Greetings,
> : >
> : > Is there a way to authenticate users with passwords in extended
> : > DES (_J9...) format that are not in the UNIX passwd file, i.e.,
> : > using the AuthUNIX.pm module.
> : >
> : > I'm trying to setup Radiator on FreeBSD 4.11 to authenticate
> against
> : > a master.passwd file exported from another FreeBSD system. The
> : > exported passwd file has passwords that are in extended DES format
> : > -- they were originally from a BSDI system. I get a "Bad Encrypted
> : > password" error when trying to authenticate.
> : >
> : > However, if I change the password in the exported passwd file to
> : > MD5 format I am able to authenticate successfully.
> : >
> : > I have an entry in the radius.cfg as follows:
> : >
> : > <Realm>
> : > <AuthBy UNIX>
> : > Filename /usr/local/etc/raddb/passwd
> : > </AuthBy>
> : >
> : > # Be more verbose with errors
> : > RejectHasReason
> : >
> : > # Log accounting to the detail file in LogDir
> : > AcctLogFileName %L/detail
> : > </Realm>
> : >
> : > When I attempt to authenticate against the extended DES password I
> : > get the following:
> : >
> : > Attributes:
> : > User-Name = "joebogus"
> : > User-Password =
> "<31>a<169><15><221><223><158><187>`<255><145>"
> : > NAS-IP-Address = 64.65.64.43
> : > NAS-Port = 20101
> : > NAS-Port-Type = Async
> : > State = ""
> : > Token = ""
> : > Calling-Station-Id = "8085233517"
> : > Called-Station-Id = "5666101"
> : > Acct-Session-Id = "357976393"
> : >
> : > Tue Mar 1 10:57:33 2005: DEBUG: Handling request with Handler
> 'Realm='
> : > Tue Mar 1 10:57:33 2005: DEBUG: Deleting session for joebogus,
> 64.65.64.43, 20101
> : > Tue Mar 1 10:57:33 2005: DEBUG: Handling with Radius::AuthUNIX:
> : > Tue Mar 1 10:57:33 2005: DEBUG: Radius::AuthUNIX looks for match
> with joebogus
> : > Tue Mar 1 10:57:33 2005: DEBUG: Radius::AuthUNIX REJECT: Bad
> Encrypted password
> : > Tue Mar 1 10:57:33 2005: INFO: Access rejected for joebogus: Bad
> Encrypted password
> : > Tue Mar 1 10:57:33 2005: DEBUG: Packet dump:
> : > *** Sending to 64.65.64.43 port 1025 ....
> : > Code: Access-Reject
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list