[RADIATOR] suggested hash algorithm for passwords in text files
Heikki Vatiainen
hvn at open.com.au
Mon Jan 13 10:17:08 CST 2014
On 01/10/2014 03:15 PM, Hartmaier Alexander wrote:
> As MD5 isn't recommended these days and we don't want to use some
> vendor/product specific algorithm like the mysql or mssql ones I'm
> looking for something like SHA256 or better.
> Digest::SHA is a required module since version 4.10 but it's sha256 and
> sha512 methods seem to be unused currently.
That is correct, there is no {...} format for SHA-256 or SHA-512.
However, crypt(3) formats are available, and if you run Linux with
recent enough libc (2.7 or later) you can do this to create user mikem
with password fred:
% mkpasswd --method=SHA-512 --salt=SaltForFred fred
$6$SaltForFred$emRLnSZatjAN8vGAwg5hJJ2IVbiM.ai0DwNOStp0TPfc0I9IgZ6hc4F00DefzvacVz9ftd7WU0GY7yMrQ7FY00
% echo 'mikem
User-Password=$6$SaltForFred$emRLnSZatjAN8vGAwg5hJJ2IVbiM.ai0DwNOStp0TPfc0I9IgZ6hc4F00DefzvacVz9ftd7WU0GY7yMrQ7FY00'
>> users-file
mkpasswd command comes with the whois package on Debian and Ubuntu
systems. The salt is specified for example only, the command can create
its own salts and does so by default.
mkpasswd creates a password hash in the format that is compatible with
/etc/shadow. Radiator then uses crypt() to check if the hash matches the
submitted password.
> I've tried using Encrypted-Password = "{SHA}" but thats Netscape SHA and
> seems to be incompatible with SHA1.
You can use goodies/sha.pl and goodies/ssha.pl to generate SHA and SSHA
(Salted SHA) hashes. These are SHA1 only and the format is: Base64
encoded hash value followed by 0 or more bytes of salt where 0 bytes
means no salt is used.
The command line utilities produced hex ouput so that's why it's not
possible to use e.g. sha1sum output directly here.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list