FreeRADIUS Package: Add option to enter NT or MD5 prehashed passwords in configuration
The FreeRADIUS Package currently provides the option to use 'Cleartext-Password' and only hashing option - 'MD5-Password'. 'MD5-Password' computes the MD5 hash of the password to prevent internal storage of cleartext passwords. However, MD5 hashed passwords only support limited Authentication protocols (PAP and EAP-GTC). NT hash passwords (NTLM hash) are supported by more protocols, including the commonly used EAP-MSCHAPv2. The user should be provided an option to use NT hash passwords if desired. While cracking these hashes is trivial, use of a hash prevents casual observers from seeing the password.
Authentication with the NT hashed password is already supported by the underlying FreeRADIUS module - using the 'NT-Password' attribute in the 'users' configuration file (e.g. "user NT-Password := "NTHASHEDPASSWORD"). Therefore, adding NT Hash as an option can be simply done by changing the pfSense FreeRADIUS configuration interface. Instead of implementing NT hashing in the package, I suggest providing the user with an option to enter a pre-hashed NT password in the configuration (with the user calculating the hash by themselves using freely available tools), i.e. an 'NT-Password (pre-hashed)' option to the FreeRADIUS user configuration. This is then stored with the 'NT-Password' attribute in the radius configuration file.
A complementary option would be 'MD5-Password (pre-hashed)', which allows the user to enter a password already hashed by MD5. As with the currently available 'MD5-Password' option, this alternative will store the password as 'MD5-Password' in the radius configuration but skip the hashing step.
This feature relates to Feature #8835. I have prepared a patch for this feature and will submit a pull request.