[RADIATOR] crypt password to check against encrypted password stored in MySql

[Heikki Vatiainen]

On 08/30/2013 10:46 AM, Jeffrey Lee wrote:

> Hi, how do you perform a crypt (one-way hash) on a password to check
> against an encrypted password stored in MySql?

You need to return the password hash with prefix that tells this is a
hash (and what kind of hash this is) and not a plain text passwords.

For example:
- password is fred
- MySQL hashing produces 0569ef75321b8fed
- You need to return {mysql}0569ef75321b8fed so that Radiator knows to
hash the incoming User-Password first instead of comparing it directly
to 0569ef75321b8fed.

> I have a <AuthBy SQL>
> 
> AuthSelect call sp_GetUserPassword('%{User-Name}')
> AuthColumnDef 0, User-Password, check
> 
> The stored procedure (MySql routine) will return the encrypted password,
> but since the password sent to Radiator is in clear-text, the
> authentication request will be rejected.

Change sp_GetUserPassword() to return {mysql}hashedvalue instead of
plain hashedvalue.

If that is not possible, use TranslatePasswordHook in the AuthBy:

TranslatePasswordHook sub { return '{mysql}' . $_[0]; }

> I'll need the clear-text password sent to radiator to be first encrypted
> (similar to PHP's crypt with salt) before comparing against database.

A better way to do this is to let Radiator know what the DB has. In this
case you need to tell it the DB has MySQL hashes.

> Does anyone have a solution to this?

Please let us know if the above helps.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.