(RADIATOR) Extended DES Password Support

Mike McCauley mikem at open.com.au
Mon Apr 25 04:08:17 CDT 2005 

Hello,

Thanks for reporting this, and for your patch.

The patch has been added to the latest Radiator patch set and will be included 
in the next release.

Thanks again, and we apologise for any inconvenience.

Cheers.

On Saturday 23 April 2005 09:25, you wrote:
> I've found a workaround for this and have included a patch below for
> consideration.
>
> One of my colleagues determined that that under FreeBSD (and possibly other
> similar OS's) that if an application uses the crypt(3) function, it depends
> on whether or not the libcrypt library (where crypt(3) is kept) was
> compiled with the DES module or not.  By default, the library supports the
> traditional password format and also MD5 passwords.  However, support for
> the DES extended format and also support for Blowfish has to be compiled in
> explicitly.
>
> The way we checked for this was as follows:
>
>   $ nm /usr/lib/libcrypt.a | grep 'crypt-'
>   crypt-blowfish.o:
>   crypt-des.o:
>   crypt-md5.o:
>
> However, Radiator would still fail to decrypt this with the error
>   Radius::AuthUNIX REJECT: Bad Encrypted password
>
> I then noticed in the section 13.1.2 of the reference manual that,
> "Radiator will assume it is a Unix crypt(3) password if it is 13 bytes
> long".
>
> The BSD/OS DES extended format encrypted passwords were 20 bytes long, and
> the crypt(3) man page from the BSD/OS system also stated the following:
>
>   The crypt function performs password encryption.  It is derived from the
>   NBS Data Encryption Standard.  Additional code has been added to deter
>   key search attempts.  The first argument to crypt is a NUL-terminated
>   string (normally a password typed by a user).  The second is a character
>   array, 9 bytes in length, consisting of an underscore (``_'') followed by
>   4 bytes of iteration count and 4 bytes of salt.  Both the iteration count
>   and the salt are encoded with 6 bits per character, least significant
>   bits first.  The values 0 to 63 are encoded by the characters ``./0-9A-
>   Za-z'', respectively.
>
> Using this information, I modified AuthGeneric.pm to successfully
> authenticate using DES extended format passwords.
>
> --- Radius/AuthGeneric.pm.orig  Wed Mar 16 18:58:27 2005
> +++ Radius/AuthGeneric.pm       Fri Apr 22 13:15:02 2005
> @@ -905,0 +906,7 @@
> +            elsif ((length($pw) == 20) && ($pw =~ m:^_[./a-zA-Z\d]{4}:))
> +            {
> +                # DES Extended Format as used in BSD/OS (nee BSDI)
> +                #   also uses crypt(3), as long as the libcrypt library
> was +                #   compiled with DES support.
> +                $result = (crypt($submitted_pw, $pw) eq $pw);
> +            }
>
> Aloha,
> Baron

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list