Project

General

Profile

Actions

Feature #10415

closed

FreeRADIUS Package: Add option to enter NT or MD5 prehashed passwords in configuration

Added by Tet-Woo Lee over 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Category:
FreeRADIUS
Target version:
-
Start date:
04/02/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:

Description

The FreeRADIUS Package currently provides the option to use 'Cleartext-Password' and only hashing option - 'MD5-Password'. 'MD5-Password' computes the MD5 hash of the password to prevent internal storage of cleartext passwords. However, MD5 hashed passwords only support limited Authentication protocols (PAP and EAP-GTC). NT hash passwords (NTLM hash) are supported by more protocols, including the commonly used EAP-MSCHAPv2. The user should be provided an option to use NT hash passwords if desired. While cracking these hashes is trivial, use of a hash prevents casual observers from seeing the password.

Authentication with the NT hashed password is already supported by the underlying FreeRADIUS module - using the 'NT-Password' attribute in the 'users' configuration file (e.g. "user NT-Password := "NTHASHEDPASSWORD"). Therefore, adding NT Hash as an option can be simply done by changing the pfSense FreeRADIUS configuration interface. Instead of implementing NT hashing in the package, I suggest providing the user with an option to enter a pre-hashed NT password in the configuration (with the user calculating the hash by themselves using freely available tools), i.e. an 'NT-Password (pre-hashed)' option to the FreeRADIUS user configuration. This is then stored with the 'NT-Password' attribute in the radius configuration file.

A complementary option would be 'MD5-Password (pre-hashed)', which allows the user to enter a password already hashed by MD5. As with the currently available 'MD5-Password' option, this alternative will store the password as 'MD5-Password' in the radius configuration but skip the hashing step.

This feature relates to Feature #8835. I have prepared a patch for this feature and will submit a pull request.

Actions

Also available in: Atom PDF