[RADIATOR] crypt password to check against encrypted password stored in MySql

Heikki Vatiainen hvn at open.com.au
Sun Sep 1 04:53:27 CDT 2013


On 08/31/2013 01:54 PM, Jeff Lee wrote:

> My encrypted password is salted using php crypt function. Is there a similar encryption function that I can add a salt to it?

I think the default crypt in PHP is the Unix DES crypt. You could prefix
your hash with {crypt}.

> For this option 'TranslatePasswordHook', is it possible to salt the password? Or perhaps, call a MySQL function to pass in the password received by radiator and allow MySQL to generate the hashed password and return to radiator for comparing against 'sp_GetUserPassword'?

Hmm, I suggest you should take a look at the different hashing and
encryption options in the reference manual ref.pdf. See sections 13.1.1
and 13.1.2 for User-Password and Encrypted-Password check items. You may
find the suitable {prefix} from there if your PHP crypt does something
else than Unix DES crypt.

If you want to pass the password to MySQL function, use %P to get
decoded User-Password.

Thanks,
Heikki


> Thanks,
> Jeff 
> 
> 
> Sent from my iPhone
> 
> On 30/08/2013, at 7:06 PM, Heikki Vatiainen <hvn at open.com.au> wrote:
> 
>> On 08/30/2013 10:46 AM, Jeffrey Lee wrote:
>>
>>> Hi, how do you perform a crypt (one-way hash) on a password to check
>>> against an encrypted password stored in MySql?
>>
>> You need to return the password hash with prefix that tells this is a
>> hash (and what kind of hash this is) and not a plain text passwords.
>>
>> For example:
>> - password is fred
>> - MySQL hashing produces 0569ef75321b8fed
>> - You need to return {mysql}0569ef75321b8fed so that Radiator knows to
>> hash the incoming User-Password first instead of comparing it directly
>> to 0569ef75321b8fed.
>>
>>> I have a <AuthBy SQL>
>>>
>>> AuthSelect call sp_GetUserPassword('%{User-Name}')
>>> AuthColumnDef 0, User-Password, check
>>>
>>> The stored procedure (MySql routine) will return the encrypted password,
>>> but since the password sent to Radiator is in clear-text, the
>>> authentication request will be rejected.
>>
>> Change sp_GetUserPassword() to return {mysql}hashedvalue instead of
>> plain hashedvalue.
>>
>> If that is not possible, use TranslatePasswordHook in the AuthBy:
>>
>> TranslatePasswordHook sub { return '{mysql}' . $_[0]; }
>>
>>> I'll need the clear-text password sent to radiator to be first encrypted
>>> (similar to PHP's crypt with salt) before comparing against database.
>>
>> A better way to do this is to let Radiator know what the DB has. In this
>> case you need to tell it the DB has MySQL hashes.
>>
>>> Does anyone have a solution to this?
>>
>> Please let us know if the above helps.
>>
>> Thanks,
>> Heikki
>>
>> -- 
>> Heikki Vatiainen <hvn at open.com.au>
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>> NetWare etc.


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list