How to encrypt user password in Freeradius

Here is the list of attributes coresponding to the hashing method : https://freeradius.org/radiusd/man/rlm_pap.txt

Header          Attribute           Description
------          ---------           -----------
{clear}         Cleartext-Password  Clear-text passwords
{cleartext}     Cleartext-Password  Clear-text passwords
{crypt}         Crypt-Password      Unix-style "crypt"ed passwords
{md5}           MD5-Password        MD5 hashed passwords
{base64_md5}    MD5-Password        MD5 hashed passwords
{smd5}          SMD5-Password       MD5 hashed passwords, with a salt
{sha}           SHA-Password        SHA1 hashed passwords
                SHA1-Password       SHA1 hashed passwords
{ssha}          SSHA-Password       SHA1 hashed passwords, with a salt
{sha2}          SHA2-Password       SHA2 hashed passwords
{sha224}        SHA2-Password       SHA2 hashed passwords
{sha256}        SHA2-Password       SHA2 hashed passwords
{sha384}        SHA2-Password       SHA2 hashed passwords
{sha512}        SHA2-Password       SHA2 hashed passwords
{ssha224}       SSHA2-224-Password  SHA2 hashed passwords, with a salt
{ssha256}       SSHA2-256-Password  SHA2 hashed passwords, with a salt
{ssha384}       SSHA2-384-Password  SHA2 hashed passwords, with a salt
{ssha512}       SSHA2-512-Password  SHA2 hashed passwords, with a salt
{nt}            NT-Password         Windows NT hashed passwords
{nthash}        NT-Password         Windows NT hashed passwords
{md4}           NT-Password         Windows NT hashed passwords
{x-nthash}      NT-Password         Windows NT hashed passwords
{ns-mta-md5}    NS-MTA-MD5-Password Netscape MTA MD5 hashed passwords
{x- orcllmv}    LM-Password         Windows LANMAN hashed passwords
{X- orclntv}    NT-Password         Windows NT hashed passwords

Don't forget that the protocol and method you are using to authenticate your client will affect wich method of hashing you can use.

You can find a table I used to configure my Freeradius server for the protocol and password compatibility : http://deployingradius.com/documents/protocols/compatibility.html

protocol and password compatibility

To generate a sha256 salted password, I used the following script on github (you need to edit the last 2 lines to change the password and the salt) : https://gist.github.com/bestrocker221/f506eee8ccadc60cab71d5f633b7cc07


In short,

  1. You need to specify a password hash format instead of Cleartext-Password, and
  2. You need to set auth_goodpass and auth_badpass to 'no' to prevent logging passwords.

Specifying a hash format

As described in the rlm_pap man page, there are a number of password hash settings that can be used instead of Cleartext-Password. Let us take a simple example, MD5-Password:

#bob    Cleartext-Password := "hello"
bob     MD5-Password:= "7d793037a0760186574b0282f2f435e7"
        Reply-Message := "Hello, %{User-Name}"

You can easily generate an md5 password hash like such:

$ echo -n world | md5sum | awk '{print $1}'
7d793037a0760186574b0282f2f435e7
$

When we test this against our server we see it authenticates:

$ radtest bob world localhost 1 testing123
Sent Access-Request Id 214 from 0.0.0.0:34920 to 127.0.0.1:1812 length 73
        User-Name = "bob"
        User-Password = "world"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 1
        Message-Authenticator = 0x00
        Cleartext-Password = "world"
Received Access-Accept Id 214 from 127.0.0.1:1812 to 127.0.0.1:34920 length 32
        Reply-Message = "Hello, bob"

You can also specify your hash with the generic Password-With-Header option:

#bob    Cleartext-Password := "hello"
bob     Password-With-Header := "{md5}7d793037a0760186574b0282f2f435e7"
        Reply-Message := "Hello, %{User-Name}"

This has the same effect as the MD5-Password version did. The list of accepted headers is on that rlm_pap man page.

One of the most interesting headers available is Crypt-Password because it will run password hashes through libcrypt and therefore will work with whatever hashes you find in /etc/shadow. For example, on a Debian system, yescrypt hashes:

bob     Crypt-Password := "$y$j9T$2fOq6bdva3zoX6OfH.JvY0$PbUGbp1U.UXFAnGrkDrYnLZEDK.PXO/HXDsBn4mCsM8"
        Reply-Message := "Hello, %{User-Name}"

(Password in this case is a38sgena)

Disabling logging of passwords

In order to disable logging of passwords, find the auth_goodpass and auth_badpass selections within the radiusd.conf file:

#  Log passwords with the authentication requests.
#  auth_badpass  - logs password if it's rejected
#  auth_goodpass - logs password if it's correct
#
#  allowed values: {no, yes}
#
auth_badpass = no
auth_goodpass = no

Make sure those are set to 'no' and your logging will stop including passwords.