RFC 8146 support in FreeRADIUS

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

RFC 8146 support in FreeRADIUS

Users mailing list
Hi,

I have got to work EAP-PWD with FreeRADIUS, which is nice, but I have not
been able to make it work with hashed passwords (Password-With-Header
variable).
I found RFC 8146, which defines new password preprocessing techniques, that
would make EAP-PWD usable without having to store the password in cleartext
or symmetric-encrypted.

¿Is there any plan to implement the RFC?

Regards,
Alberto
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RFC 8146 support in FreeRADIUS

Alan DeKok-2
On Oct 4, 2019, at 7:08 AM, Alberto Martínez Setién via Freeradius-Users <[hidden email]> wrote:
> I have got to work EAP-PWD with FreeRADIUS, which is nice, but I have not
> been able to make it work with hashed passwords (Password-With-Header
> variable).
> I found RFC 8146, which defines new password preprocessing techniques, that
> would make EAP-PWD usable without having to store the password in cleartext
> or symmetric-encrypted.
>
> ¿Is there any plan to implement the RFC?

  We have a long list of things we're working on.  The priorities depend on usefulness, ease of implementation, and how complex it is to do.

  But as always, this is an Open Source project.  If everyone sits around and does nothing, it goes nowhere.

  If someone sends a patch, it's much more likely to get integrated.  Or, if people *contribute*, it lowers the dev teams workload, and makes it more likely that a new feature can make it in.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RFC 8146 support in FreeRADIUS

arr2036


> On 4 Oct 2019, at 07:17, Alan DeKok <[hidden email]> wrote:
>
> On Oct 4, 2019, at 7:08 AM, Alberto Martínez Setién via Freeradius-Users <[hidden email]> wrote:
>> I have got to work EAP-PWD with FreeRADIUS, which is nice, but I have not
>> been able to make it work with hashed passwords (Password-With-Header
>> variable).
>> I found RFC 8146, which defines new password preprocessing techniques, that
>> would make EAP-PWD usable without having to store the password in cleartext
>> or symmetric-encrypted.
>>
>> ¿Is there any plan to implement the RFC?
>
>  We have a long list of things we're working on.  The priorities depend on usefulness, ease of implementation, and how complex it is to do.
>
>  But as always, this is an Open Source project.  If everyone sits around and does nothing, it goes nowhere.
>
>  If someone sends a patch, it's much more likely to get integrated.  Or, if people *contribute*, it lowers the dev teams workload, and makes it more likely that a new feature can make it in.

Or if you can confirm this is supported already in wpa_supplicant, then we'd be much more likely to add support.

-Arran


Arran Cudbard-Bell <[hidden email]>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RFC 8146 support in FreeRADIUS

Jouni Malinen-5
On Fri, Oct 4, 2019 at 11:34 PM Arran Cudbard-Bell <
[hidden email]> wrote:

> > On Oct 4, 2019, at 7:08 AM, Alberto Martínez Setién via Freeradius-Users
> <[hidden email]> wrote:
> >> I found RFC 8146, which defines new password preprocessing techniques,
> that
> >> would make EAP-PWD usable without having to store the password in
> cleartext
> >> or symmetric-encrypted.
>
> Or if you can confirm this is supported already in wpa_supplicant, then
> we'd be much more likely to add support.
>

wpa_supplicant supports three of the new password preprocessing techniques
from RFC 8146 (0x03, 0x04, 0x05, i.e., a random salt with SHA-1/256/512).

- Jouni
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RFC 8146 support in FreeRADIUS

Users mailing list
Hi Jouni,


> wpa_supplicant supports three of the new password preprocessing techniques
> from RFC 8146 (0x03, 0x04, 0x05, i.e., a random salt with SHA-1/256/512).
>

I looked at https://w1.fi/wpa_supplicant/ but EAP-PWD was not listed there.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RFC 8146 support in FreeRADIUS

arr2036
In reply to this post by Jouni Malinen-5


> On Oct 4, 2019, at 6:24 PM, Jouni Malinen <[hidden email]> wrote:
>
> On Fri, Oct 4, 2019 at 11:34 PM Arran Cudbard-Bell <
> [hidden email]> wrote:
>
>>> On Oct 4, 2019, at 7:08 AM, Alberto Martínez Setién via Freeradius-Users
>> <[hidden email]> wrote:
>>>> I found RFC 8146, which defines new password preprocessing techniques,
>> that
>>>> would make EAP-PWD usable without having to store the password in
>> cleartext
>>>> or symmetric-encrypted.
>>
>> Or if you can confirm this is supported already in wpa_supplicant, then
>> we'd be much more likely to add support.
>>
>
> wpa_supplicant supports three of the new password preprocessing techniques
> from RFC 8146 (0x03, 0x04, 0x05, i.e., a random salt with SHA-1/256/512).
Thanks for confirming.

-Arran

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (849 bytes) Download Attachment