(RADIATOR) Extended DES Password Support

Hugh Irvine hugh at open.com.au
Sat Apr 23 04:21:04 CDT 2005


Hello -

Many thanks for your contribution.

Mike will look at this early next week.

regards

Hugh


On 23 Apr 2005, at 09:25, Baron Fujimoto wrote:

> I've found a workaround for this and have included a patch below for
> consideration.
>
> One of my colleagues determined that that under FreeBSD (and possibly 
> other
> similar OS's) that if an application uses the crypt(3) function, it 
> depends
> on whether or not the libcrypt library (where crypt(3) is kept) was 
> compiled
> with the DES module or not.  By default, the library supports the 
> traditional
> password format and also MD5 passwords.  However, support for the DES
> extended format and also support for Blowfish has to be compiled in
> explicitly.
>
> The way we checked for this was as follows:
>
>   $ nm /usr/lib/libcrypt.a | grep 'crypt-'
>   crypt-blowfish.o:
>   crypt-des.o:
>   crypt-md5.o:
>
> However, Radiator would still fail to decrypt this with the error
>   Radius::AuthUNIX REJECT: Bad Encrypted password
>
> I then noticed in the section 13.1.2 of the reference manual that, 
> "Radiator
> will assume it is a Unix crypt(3) password if it is 13 bytes long".
>
> The BSD/OS DES extended format encrypted passwords were 20 bytes long, 
> and
> the crypt(3) man page from the BSD/OS system also stated the following:
>
>   The crypt function performs password encryption.  It is derived from 
> the
>   NBS Data Encryption Standard.  Additional code has been added to 
> deter
>   key search attempts.  The first argument to crypt is a NUL-terminated
>   string (normally a password typed by a user).  The second is a 
> character
>   array, 9 bytes in length, consisting of an underscore (``_'') 
> followed by
>   4 bytes of iteration count and 4 bytes of salt.  Both the iteration 
> count
>   and the salt are encoded with 6 bits per character, least significant
>   bits first.  The values 0 to 63 are encoded by the characters 
> ``./0-9A-
>   Za-z'', respectively.
>
> Using this information, I modified AuthGeneric.pm to successfully
> authenticate using DES extended format passwords.
>
> --- Radius/AuthGeneric.pm.orig  Wed Mar 16 18:58:27 2005
> +++ Radius/AuthGeneric.pm       Fri Apr 22 13:15:02 2005
> @@ -905,0 +906,7 @@
> +            elsif ((length($pw) == 20) && ($pw =~ 
> m:^_[./a-zA-Z\d]{4}:))
> +            {
> +                # DES Extended Format as used in BSD/OS (nee BSDI)
> +                #   also uses crypt(3), as long as the libcrypt 
> library was
> +                #   compiled with DES support.
> +                $result = (crypt($submitted_pw, $pw) eq $pw);
> +            }
>
> Aloha,
> Baron
> -- 
> Baron Fujimoto   |  LavaNet, Inc.
>
>
> On Fri, 4 Mar 2005, Hugh Irvine wrote:
>
> : All of the password formats that Radiator currently understands are 
> listed in
> : section 13.1.1 in the Radiator 3.11 reference manual 
> ("doc/ref.html").
> :
> : [...]
> :
> : On 3 Mar 2005, at 22:37, Derrin Chong wrote:
> :
> : > Greetings,
> : >
> : > Is there a way to authenticate users with passwords in extended
> : > DES (_J9...) format that are not in the UNIX passwd file, i.e.,
> : > using the AuthUNIX.pm module.
> : >
> : > I'm trying to setup Radiator on FreeBSD 4.11 to authenticate 
> against
> : > a master.passwd file exported from another FreeBSD system.  The
> : > exported passwd file has passwords that are in extended DES format
> : > -- they were originally from a BSDI system.  I get a "Bad Encrypted
> : > password" error when trying to authenticate.
> : >
> : > However, if I change the password in the exported passwd file to
> : > MD5 format I am able to authenticate successfully.
> : >
> : > I have an entry in the radius.cfg as follows:
> : >
> : > <Realm>
> : >         <AuthBy UNIX>
> : >                 Filename        /usr/local/etc/raddb/passwd
> : >         </AuthBy>
> : >
> : >         # Be more verbose with errors
> : >         RejectHasReason
> : >
> : >         # Log accounting to the detail file in LogDir
> : >         AcctLogFileName %L/detail
> : > </Realm>
> : >
> : > When I attempt to authenticate against the extended DES password I
> : > get the following:
> : >
> : > Attributes:
> : >         User-Name = "joebogus"
> : >         User-Password = 
> "<31>a<169><15><221><223><158><187>`<255><145>"
> : >         NAS-IP-Address = 64.65.64.43
> : >         NAS-Port = 20101
> : >         NAS-Port-Type = Async
> : >         State = ""
> : >         Token = ""
> : >         Calling-Station-Id = "8085233517"
> : >         Called-Station-Id = "5666101"
> : >         Acct-Session-Id = "357976393"
> : >
> : > Tue Mar  1 10:57:33 2005: DEBUG: Handling request with Handler 
> 'Realm='
> : > Tue Mar  1 10:57:33 2005: DEBUG:  Deleting session for joebogus, 
> 64.65.64.43, 20101
> : > Tue Mar  1 10:57:33 2005: DEBUG: Handling with Radius::AuthUNIX:
> : > Tue Mar  1 10:57:33 2005: DEBUG: Radius::AuthUNIX looks for match 
> with joebogus
> : > Tue Mar  1 10:57:33 2005: DEBUG: Radius::AuthUNIX REJECT: Bad 
> Encrypted password
> : > Tue Mar  1 10:57:33 2005: INFO: Access rejected for joebogus: Bad 
> Encrypted password
> : > Tue Mar  1 10:57:33 2005: DEBUG: Packet dump:
> : > *** Sending to 64.65.64.43 port 1025 ....
> : > Code:       Access-Reject
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list