Project

General

Profile

Actions

Feature #10415

closed

FreeRADIUS Package: Add option to enter NT or MD5 prehashed passwords in configuration

Added by Tet-Woo Lee over 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Category:
FreeRADIUS
Target version:
-
Start date:
04/02/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:

Description

The FreeRADIUS Package currently provides the option to use 'Cleartext-Password' and only hashing option - 'MD5-Password'. 'MD5-Password' computes the MD5 hash of the password to prevent internal storage of cleartext passwords. However, MD5 hashed passwords only support limited Authentication protocols (PAP and EAP-GTC). NT hash passwords (NTLM hash) are supported by more protocols, including the commonly used EAP-MSCHAPv2. The user should be provided an option to use NT hash passwords if desired. While cracking these hashes is trivial, use of a hash prevents casual observers from seeing the password.

Authentication with the NT hashed password is already supported by the underlying FreeRADIUS module - using the 'NT-Password' attribute in the 'users' configuration file (e.g. "user NT-Password := "NTHASHEDPASSWORD"). Therefore, adding NT Hash as an option can be simply done by changing the pfSense FreeRADIUS configuration interface. Instead of implementing NT hashing in the package, I suggest providing the user with an option to enter a pre-hashed NT password in the configuration (with the user calculating the hash by themselves using freely available tools), i.e. an 'NT-Password (pre-hashed)' option to the FreeRADIUS user configuration. This is then stored with the 'NT-Password' attribute in the radius configuration file.

A complementary option would be 'MD5-Password (pre-hashed)', which allows the user to enter a password already hashed by MD5. As with the currently available 'MD5-Password' option, this alternative will store the password as 'MD5-Password' in the radius configuration but skip the hashing step.

This feature relates to Feature #8835. I have prepared a patch for this feature and will submit a pull request.

Actions #1

Updated by Tet-Woo Lee over 4 years ago

Link to pull request: https://github.com/pfsense/FreeBSD-ports/pull/822 Implements #10415 Adds prehashed NT-Password and MD5-Password to FreeRadius config

Actions #2

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Pull Request Review
Actions #3

Updated by Renato Botelho over 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #4

Updated by Azamat Khakimyanov about 4 years ago

  • Status changed from Feedback to Resolved

Tested on:
2.4.5_p1 and
2.5.0-DEVELOPMENT (amd64)
built on Mon Oct 05 00:53:54 EDT 2020
FreeBSD 12.2-STABLE

NT or MD5 prehashed passwords work as expected. Tested by radtest with freeradius running on Localhost (127.0.0.1).

This feature request can be mark RESOLVED.

Actions

Also available in: Atom PDF