Score:3

Server

How to encrypt user password in Freeradius

wallacex

1/20/23, 9:34 PM

I recently set up a freeradius server and would like to change the user password that is presently in cleartext to encrypted in the /etc/freeradius/3.0/users file.

This is what it looks like on the server.

When I authenticate on the server, I can see the username and password in the /var/log/freeradius/radius.log file. How can I get it encrypted? I'm using Debian.

2713

0 + 0

debian

freeradius

flashbang

10/1/23, 10:35 PM

For anyone else with the same question, I whipped up [this Perl script](https://gist.github.com/rc4/305a7f9cf945127fd045546cad4b13e5) that gives you the exact configuration line you need for a salted SHA256 password. It's a little easier than the Python one below too IMO, since it prompts for the password and generates a salt for you automatically ;-)

Score:2

Server

gowenfawr

1/20/23, 11:14 PM

In short,

You need to specify a password hash format instead of Cleartext-Password, and
You need to set auth_goodpass and auth_badpass to 'no' to prevent logging passwords.

Specifying a hash format

As described in the rlm_pap man page, there are a number of password hash settings that can be used instead of Cleartext-Password. Let us take a simple example, MD5-Password:

#bob    Cleartext-Password := "hello"
bob     MD5-Password:= "7d793037a0760186574b0282f2f435e7"
        Reply-Message := "Hello, %{User-Name}"

You can easily generate an md5 password hash like such:

$ echo -n world | md5sum | awk '{print $1}'
7d793037a0760186574b0282f2f435e7
$

When we test this against our server we see it authenticates:

$ radtest bob world localhost 1 testing123
Sent Access-Request Id 214 from 0.0.0.0:34920 to 127.0.0.1:1812 length 73
        User-Name = "bob"
        User-Password = "world"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 1
        Message-Authenticator = 0x00
        Cleartext-Password = "world"
Received Access-Accept Id 214 from 127.0.0.1:1812 to 127.0.0.1:34920 length 32
        Reply-Message = "Hello, bob"

You can also specify your hash with the generic Password-With-Header option:

#bob    Cleartext-Password := "hello"
bob     Password-With-Header := "{md5}7d793037a0760186574b0282f2f435e7"
        Reply-Message := "Hello, %{User-Name}"

This has the same effect as the MD5-Password version did. The list of accepted headers is on that rlm_pap man page.

One of the most interesting headers available is Crypt-Password because it will run password hashes through libcrypt and therefore will work with whatever hashes you find in /etc/shadow. For example, on a Debian system, yescrypt hashes:

bob     Crypt-Password := "$y$j9T$2fOq6bdva3zoX6OfH.JvY0$PbUGbp1U.UXFAnGrkDrYnLZEDK.PXO/HXDsBn4mCsM8"
        Reply-Message := "Hello, %{User-Name}"

(Password in this case is a38sgena)

Disabling logging of passwords

In order to disable logging of passwords, find the auth_goodpass and auth_badpass selections within the radiusd.conf file:

#  Log passwords with the authentication requests.
#  auth_badpass  - logs password if it's rejected
#  auth_goodpass - logs password if it's correct
#
#  allowed values: {no, yes}
#
auth_badpass = no
auth_goodpass = no

Make sure those are set to 'no' and your logging will stop including passwords.

0 + 0

wallacex

1/21/23, 2:38 PM

Thanks for the solution. I changed the values as stated but i could log in via ssh from another computer with the username and clear-text password, now i can't with the MD5 hashed password. How do i achieve that ?

Arran Cudbard-Bell

1/21/23, 3:55 PM

If you're calling the PAP module after the files module it should just work. You'd also need to make sure the RADIUS packets contain User-Password, as RADIUS CHAP authentication won't work with hashed passwords, only RADIUS PAP authentication.

gowenfawr

1/21/23, 5:32 PM

How are you generating the MD5 hash? A common mistake is to miss the `-n` argument to `echo` so that the hashed password includes a newline. `echo -n password | md5sum` will create a working hash for 'password'

Score:2

Server

molik

1/21/23, 1:51 PM

Here is the list of attributes coresponding to the hashing method : https://freeradius.org/radiusd/man/rlm_pap.txt

Header          Attribute           Description
------          ---------           -----------
{clear}         Cleartext-Password  Clear-text passwords
{cleartext}     Cleartext-Password  Clear-text passwords
{crypt}         Crypt-Password      Unix-style "crypt"ed passwords
{md5}           MD5-Password        MD5 hashed passwords
{base64_md5}    MD5-Password        MD5 hashed passwords
{smd5}          SMD5-Password       MD5 hashed passwords, with a salt
{sha}           SHA-Password        SHA1 hashed passwords
                SHA1-Password       SHA1 hashed passwords
{ssha}          SSHA-Password       SHA1 hashed passwords, with a salt
{sha2}          SHA2-Password       SHA2 hashed passwords
{sha224}        SHA2-Password       SHA2 hashed passwords
{sha256}        SHA2-Password       SHA2 hashed passwords
{sha384}        SHA2-Password       SHA2 hashed passwords
{sha512}        SHA2-Password       SHA2 hashed passwords
{ssha224}       SSHA2-224-Password  SHA2 hashed passwords, with a salt
{ssha256}       SSHA2-256-Password  SHA2 hashed passwords, with a salt
{ssha384}       SSHA2-384-Password  SHA2 hashed passwords, with a salt
{ssha512}       SSHA2-512-Password  SHA2 hashed passwords, with a salt
{nt}            NT-Password         Windows NT hashed passwords
{nthash}        NT-Password         Windows NT hashed passwords
{md4}           NT-Password         Windows NT hashed passwords
{x-nthash}      NT-Password         Windows NT hashed passwords
{ns-mta-md5}    NS-MTA-MD5-Password Netscape MTA MD5 hashed passwords
{x- orcllmv}    LM-Password         Windows LANMAN hashed passwords
{X- orclntv}    NT-Password         Windows NT hashed passwords

Don't forget that the protocol and method you are using to authenticate your client will affect wich method of hashing you can use.

You can find a table I used to configure my Freeradius server for the protocol and password compatibility : http://deployingradius.com/documents/protocols/compatibility.html

To generate a sha256 salted password, I used the following script on github (you need to edit the last 2 lines to change the password and the salt) : https://gist.github.com/bestrocker221/f506eee8ccadc60cab71d5f633b7cc07

0 + 0

wallacex

1/21/23, 2:41 PM

Thank you . How can i use the hash value to authenticate via ssh using username bob and hash value "6afedb7a8348eb4ebdbe0c77ef92db4c"

molik

1/21/23, 2:56 PM

Does authenticating using ssh work ? (with a cleartext for exemple). I never tried that, personnaly I use wpa_supplicant to send the login and password to a switch connected to my freeradius server.

wallacex

1/21/23, 3:07 PM

Yes it does . I configured /etc/pam.d/ on the client server and AAA on the catalyst switch . i can ssh using the user and cleartext-password i created on the radius server. I did the same with the MD5 it didn't work .

molik

1/21/23, 3:10 PM

Maybe authentication using the ssh protocol doesn't handle any encryption of the password :c

wallacex

1/21/23, 3:13 PM

Thanks again for the follow up . will it help if configure SSL/TLS on radius server ? will it encrypt password in the radius.log file ?

molik

1/21/23, 3:16 PM

When I configured the SSL/TLS protocol on the radius server, i generated certificates. Try PEAP-GTC, as PEAP bring TLS to the exchange of credentials. This is what i am using to authenticate with sha256 salted password

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to encrypt user password in Freeradius

TH: วิธีเข้ารหัสรหัสผ่านผู้ใช้ใน Freeradius

RO: Cum să criptați parola utilizatorului în Freeradius

RU: Как зашифровать пароль пользователя в Freeradius

VI: Cách mã hóa mật khẩu người dùng trong Freeradius

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.