How to encrypt user password in Freeradius
Here is the list of attributes coresponding to the hashing method : https://freeradius.org/radiusd/man/rlm_pap.txt
Header Attribute Description
------ --------- -----------
{clear} Cleartext-Password Clear-text passwords
{cleartext} Cleartext-Password Clear-text passwords
{crypt} Crypt-Password Unix-style "crypt"ed passwords
{md5} MD5-Password MD5 hashed passwords
{base64_md5} MD5-Password MD5 hashed passwords
{smd5} SMD5-Password MD5 hashed passwords, with a salt
{sha} SHA-Password SHA1 hashed passwords
SHA1-Password SHA1 hashed passwords
{ssha} SSHA-Password SHA1 hashed passwords, with a salt
{sha2} SHA2-Password SHA2 hashed passwords
{sha224} SHA2-Password SHA2 hashed passwords
{sha256} SHA2-Password SHA2 hashed passwords
{sha384} SHA2-Password SHA2 hashed passwords
{sha512} SHA2-Password SHA2 hashed passwords
{ssha224} SSHA2-224-Password SHA2 hashed passwords, with a salt
{ssha256} SSHA2-256-Password SHA2 hashed passwords, with a salt
{ssha384} SSHA2-384-Password SHA2 hashed passwords, with a salt
{ssha512} SSHA2-512-Password SHA2 hashed passwords, with a salt
{nt} NT-Password Windows NT hashed passwords
{nthash} NT-Password Windows NT hashed passwords
{md4} NT-Password Windows NT hashed passwords
{x-nthash} NT-Password Windows NT hashed passwords
{ns-mta-md5} NS-MTA-MD5-Password Netscape MTA MD5 hashed passwords
{x- orcllmv} LM-Password Windows LANMAN hashed passwords
{X- orclntv} NT-Password Windows NT hashed passwords
Don't forget that the protocol and method you are using to authenticate your client will affect wich method of hashing you can use.
You can find a table I used to configure my Freeradius server for the protocol and password compatibility : http://deployingradius.com/documents/protocols/compatibility.html
To generate a sha256 salted password, I used the following script on github (you need to edit the last 2 lines to change the password and the salt) : https://gist.github.com/bestrocker221/f506eee8ccadc60cab71d5f633b7cc07
In short,
- You need to specify a password hash format instead of
Cleartext-Password
, and - You need to set
auth_goodpass
andauth_badpass
to 'no' to prevent logging passwords.
Specifying a hash format
As described in the rlm_pap man page, there are a number of password hash settings that can be used instead of Cleartext-Password
. Let us take a simple example, MD5-Password
:
#bob Cleartext-Password := "hello"
bob MD5-Password:= "7d793037a0760186574b0282f2f435e7"
Reply-Message := "Hello, %{User-Name}"
You can easily generate an md5 password hash like such:
$ echo -n world | md5sum | awk '{print $1}'
7d793037a0760186574b0282f2f435e7
$
When we test this against our server we see it authenticates:
$ radtest bob world localhost 1 testing123
Sent Access-Request Id 214 from 0.0.0.0:34920 to 127.0.0.1:1812 length 73
User-Name = "bob"
User-Password = "world"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1
Message-Authenticator = 0x00
Cleartext-Password = "world"
Received Access-Accept Id 214 from 127.0.0.1:1812 to 127.0.0.1:34920 length 32
Reply-Message = "Hello, bob"
You can also specify your hash with the generic Password-With-Header
option:
#bob Cleartext-Password := "hello"
bob Password-With-Header := "{md5}7d793037a0760186574b0282f2f435e7"
Reply-Message := "Hello, %{User-Name}"
This has the same effect as the MD5-Password
version did. The list of accepted headers is on that rlm_pap man page.
One of the most interesting headers available is Crypt-Password
because it will run password hashes through libcrypt and therefore will work with whatever hashes you find in /etc/shadow
. For example, on a Debian system, yescrypt hashes:
bob Crypt-Password := "$y$j9T$2fOq6bdva3zoX6OfH.JvY0$PbUGbp1U.UXFAnGrkDrYnLZEDK.PXO/HXDsBn4mCsM8"
Reply-Message := "Hello, %{User-Name}"
(Password in this case is a38sgena
)
Disabling logging of passwords
In order to disable logging of passwords, find the auth_goodpass
and auth_badpass
selections within the radiusd.conf
file:
# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
# auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
auth_badpass = no
auth_goodpass = no
Make sure those are set to 'no' and your logging will stop including passwords.