[RADIATOR] MSCHAPv2 with BCrypt passwords

Mike Puchol puchol at me.com
Fri Jan 16 11:52:46 CST 2015


Greetings,

I'm working on a deployment that should support PEAP with MSCHAPv2, but which cannot have either plaintext passwords nor NT hashes stored (the latter can be decrypted in miliseconds on sites such as http://www.hashkiller.co.uk/ntlm-decrypter.aspx).

Passwords are stored in BCrypt hash format, so my questions are:

1. I could, when signing users up, do plaintext -> nthash -> bcrypt, and then compare the incoming nthash from the client also passed through bcrypt inside a hook. I've spent the last two days looking at hook examples, mailing list posts and the documentation, but I cannot figure out where to put the hook, or how to get the nthash from the EAP messages.

2. A secondary question, derived from #1 above: is there any documentation on hooks that explains how/what parameters and functions are available for each hook type? I don't mind looking through code, but I've not found a clear answer. Example: for PreAuthHook, we're told $_[0] contains a "reference to the current request"... kind of vague.

I'm doing AuthBy SQL, no LDAP (found tons of password-related info for LDAP and its hooks... but not useful).

Cheers,

Mike



More information about the radiator mailing list