Authenticate against FreeIPA PBKDF2_SHA256

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Authenticate against FreeIPA PBKDF2_SHA256

Marc Sauer
Hello,

I would like to authenticate against our FreeIPA servers. The problem is
that our passwords are stored in the following format:

PBKDF2_SHA256

FreeRADIUS did not support this at all until version 3.0.22 [1]. The
functionality has been merged into the v3.0.x branch in September 2020.

Unfortonately it still does not work in 3.0.22 with FreeIPA passwords.

The example-password I'm trying to authenticate against has the
following content:

{PBKDF2_SHA256}AAAIAEwR4+gKWf4IQAoqJWD7qwaUtanUiuYCJzD7ISaOwuvoBE4Ltq58p7hF4Or32gz2vrbGcD9JL7hUHoswrqGFlgCvDSNZD9MmuNePPk5SK/G3OdBMjZ6/6ioy5WJjKToPkE4cwsxL3F7nq0XzjvhzF9muy7I5HHSFYxxYCE92xk03JHi2Q1dlKqdsMDxF6wa50JO3aoVD6ZfqYr3It+JxzQTKrUS5JxHetbBdmm3WEhuMf4kgwfsCstE55kYfQCvB94D9Ro5s05MOgQulX9VyvOTB0xugOii290gLUssX1/qkacHVabTbA252kdxfguonASGEX7mpjJRskubgTHFadJ5i5TfodqvxJ/cghMaxZ1rkHXTZ9fBXxNZHltYHZVexhV3sJOq3Cq3eyvVuLfp3qwixPBJBWDC3Wv/mCSzdW5v6

When I try to authenticate against it, it shows the following error when
running freeradius -X:

(1) pap: Unknown header {PBKDF2_SHA256} in Password-With-Header,
re-writing to Cleartext-Password
(1) pap: Removing &control:Password-With-Header
(1)     [pap] = updated
(1)   } # authorize = updated
(1) Found Auth-Type = PAP
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1)   Auth-Type PAP {
(1) pap: Login attempt with password
(1) pap: Comparing with "known good" Cleartext-Password
(1) pap: ERROR: Cleartext password does not match "known good" password

What I don't understand is, that FreeRADIUS says "Unknown header",
although the PBKDF2_SHA256 support seems to be implemented.

Is there anything wrong with my configration or is there still something
wrong with the implementation of those kinds of hashes in FreeRADIUS?

If I'd know C, I would love to help implementing the support.

Maybe someone can help me with that.

Cheers,

Marc Sauer

[1]: https://github.com/FreeRADIUS/freeradius-server/issues/2649

--
Marc Sauer
Linux Systems Administrator

Kunsthochschule für Medien Köln/
Academy of Media Arts Cologne
Peter-Welter-Platz 2
50676 Köln

https://www.khm.de
https://en.khm.de

tel: +49 221 20189 - 239
business mobile: +49 151 74230781
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authenticate against FreeIPA PBKDF2_SHA256

Alan DeKok-2
On Apr 7, 2021, at 8:27 AM, Marc Sauer <[hidden email]> wrote:
> I would like to authenticate against our FreeIPA servers. The problem is that our passwords are stored in the following format:
>
> PBKDF2_SHA256

  That's not supported.  v3 supports PBKDF2 with various HMACs.  See src/modules/rlm_pap/rlm_pap.c

> FreeRADIUS did not support this at all until version 3.0.22 [1]. The functionality has been merged into the v3.0.x branch in September 2020.
>
> Unfortonately it still does not work in 3.0.22 with FreeIPA passwords.
>
> The example-password I'm trying to authenticate against has the following content:
>
> {PBKDF2_SHA256}AAAIAEwR4+g...

  That isn't supported.  It's probably not hard to add, but... there's a ton of variants.

> When I try to authenticate against it, it shows the following error when running freeradius -X:
>
> (1) pap: Unknown header {PBKDF2_SHA256} in Password-With-Header, re-writing to Cleartext-Password

  That seems pretty clear: "Unknown header".

> What I don't understand is, that FreeRADIUS says "Unknown header", although the PBKDF2_SHA256 support seems to be implemented.

  What makes you say that?

  PBKDF2 is a whole family of password formats.  Which means that each one has to be supported explicitly.

> Is there anything wrong with my configration or is there still something wrong with the implementation of those kinds of hashes in FreeRADIUS?

  The error message is clear: "Unknown header".  It does NOT say "found known header, and then the password didn't match".

> If I'd know C, I would love to help implementing the support.

  We'll take a look, but we can't promise any particular time frame.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html