CHAP Modification
|
View:
New views
13 Messages
—
Rating Filter:
Alert me
|
 |
CHAP Modification
by ChristosH
::
Rate this Message:
I'm trying to edit the way the CHAP module fetches passwords before hasing them due to a limitation in 2 different types of hardware we have.
One set of devices takes a HEX password stored on the device, converts it to binary, and then calculates the MD5 CHAP challenge to send to the server. The other set of devices just takes the HEX password and calculates the MD5 as if it were a string. I can distinguish which device is which when I'm adding passwords to my database (by adding a prefix 0x to let me know it's going from HEX -> BIN or whatnot) because the password is fixed at 32 characters, but definately not which device is which at run time. I guess what I'm trying to do is find where in the CHAP encoding module is the password attribute accessed/read and then passed (I'm guessing as an arguement) to be hashed. I think I could possibly do my funky math in mind there by checking the length of the password or the first two letters, and then converting to binary as needed or just passing it through. My problem is where exactly is this password CHAP challege code? I'm sifting through the radius.c file but can't seem to find anything. I'm comfortable writing some stuff with C and reading more complex things, so I don't think that will be a barrier. When I change it, will it require me to recompile everything every time I want to check? I'm using Fedora Core 6, Freerad 1.1.4, and MySql 5.0. |
|
|
Re: CHAP Modification
by Graeme Crawford
::
Rate this Message:
On 2/24/07, ChristosH <christov@...> wrote:
> > I'm trying to edit the way the CHAP module fetches passwords before hasing > them due to a limitation in 2 different types of hardware we have. > > One set of devices takes a HEX password stored on the device, converts it to > binary, and then calculates the MD5 CHAP challenge to send to the server. > The other set of devices just takes the HEX password and calculates the MD5 > as if it were a string. I can distinguish which device is which when I'm > adding passwords to my database (by adding a prefix 0x to let me know it's > going from HEX -> BIN or whatnot) because the password is fixed at 32 > characters, but definately not which device is which at run time. > > I guess what I'm trying to do is find where in the CHAP encoding module is > the password attribute accessed/read and then passed (I'm guessing as an > arguement) to be hashed. I think I could possibly do my funky math in mind > there by checking the length of the password or the first two letters, and > then converting to binary as needed or just passing it through. > > My problem is where exactly is this password CHAP challege code? I'm sifting > through the radius.c file but can't seem to find anything. I'm comfortable > writing some stuff with C and reading more complex things, so I don't think > that will be a barrier. When I change it, will it require me to recompile > everything every time I want to check? I'm using Fedora Core 6, Freerad > 1.1.4, and MySql 5.0. > -- > View this message in context: > http://www.nabble.com/CHAP-Modification-tf3284565.html#a9136389 > Sent from the FreeRadius - User mailing list archive at Nabble.com. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: CHAP Modification
by Alan DeKok-2
::
Rate this Message:
ChristosH wrote:
> My problem is where exactly is this password CHAP challege code? I'm sifting > through the radius.c file but can't seem to find anything. radius.c, rad_chap_encode(). Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: CHAP Modification
by ChristosH
::
Rate this Message:
Okay, in the radius.c file they call a function rad_chap_encode() that uses the password attribute.
Is that what I'm looking for? It's a VALUE_PAIR type, so could I check and modify the password->length and password->strvalue in that function? Or should I back out and modify it in the auth.c rad_check_password () where it's called? I won't run into any issues if I modify the VALUE_PAIR values, will I? Also, is there a C function included in the libraries that will allow me to convert a hex string to binary? I'm worried I might get stuck in ASCII -> HEX -> BINARY conversions.
|
|
|
Re: CHAP Modification
by Alan DeKok-2
::
Rate this Message:
ChristosH wrote:
> Okay, in the radius.c file they call a function rad_chap_encode() that uses > the password attribute. > Is that what I'm looking for? Yes. > It's a VALUE_PAIR type, so could I check and modify the password->length and > password->strvalue in that function? Huh? Why? Do it elsewhere. > Or should I back out and modify it in the auth.c rad_check_password () where > it's called? I won't run into any issues if I modify the VALUE_PAIR values, > will I? No. I would suggest patching the server as little as possible. > Also, is there a C function included in the libraries that will allow me to > convert a hex string to binary? I'm worried I might get stuck in ASCII -> > HEX -> BINARY conversions. Yes. see "bin2hex" and "hex2bin". See also rlm_pap in 1.1.4, which does a lot of this kind of normalization already. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: CHAP Modification
by ChristosH
::
Rate this Message:
Well, that's part of my issue; where's the best place to check the password and convert it to binary when needed. In the rlm_chap.C file I also notice that there's the code: DEBUG(" rlm_chap: Using clear text password \"%s\" for user %s authentication.", passwd_item->strvalue, request->username->strvalue); rad_chap_encode(request->packet,pass_str,request->password->strvalue[0],passwd_item); if (memcmp(pass_str+1,request->password->strvalue+1,CHAP_VALUE_LENGTH) != 0){ DEBUG(" rlm_chap: Password check failed"); snprintf(module_fmsg,sizeof(module_fmsg),"rlm_chap: Wrong user password"); module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ); pairadd(&request->packet->vps, module_fmsg_vp); return RLM_MODULE_REJECT; } Could I also modify the password there? I'm just trying to find the easiest way to check if the password should be read as a string or binary and then parse it properly BEFORE it is CHAP encoded because I can't change the hardware. > Also, is there a C function included in the libraries that will allow me to > convert a hex string to binary? I'm worried I might get stuck in ASCII -> > HEX -> BINARY conversions. Yes. see "bin2hex" and "hex2bin". See also rlm_pap in 1.1.4, which does a lot of this kind of normalization already. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: CHAP Modification
by ChristosH
::
Rate this Message:
I don't see anything usefull in rlm_pap that could help me because it's CHAP authentication I'm working on. |
|
|
Re: CHAP Modification
by Alan DeKok-2
::
Rate this Message:
ChristosH wrote:
> I don't see anything usefull in rlm_pap that could help me because it's CHAP > authentication I'm working on. Yes, I know. I knew that when I pointed to rlm_pap. My point was that it may be possible in rlm_pap to normalize the password... just like it does for other types of passwords. If rlm_pap won't help, then I *strongly* suggest you write your own module. It's easier to integrate a module into a new release of FreeRADIUS than it is to apply a patch to the server core. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: CHAP Modification
by ChristosH
::
Rate this Message:
Okay, I see what you mean now. Is there a tutorial on adding my own module to it? Or would I just include the chappatch.c file in the same directory, include the header file chappatch.h into the rlm_chap.c file (where do you stick the header files?) and recompile the whole thing? |
|
|
Re: CHAP Modification
by Alan DeKok-2
::
Rate this Message:
ChristosH wrote:
> Okay, I see what you mean now. Is there a tutorial on adding my own module > to it? Um... rlm_example? Or the files in doc/? It's not like the module system is that complicated. A C file, a tiny Makefile, and you're pretty much done. > Or would I just include the chappatch.c file in the same directory, > include the header file chappatch.h into the rlm_chap.c file (where do you > stick the header files?) and recompile the whole thing? You can do that if you want. But rlm_chap may change, and your patch may not work any more. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: CHAP Modification
by ChristosH
::
Rate this Message:
I can't seem to find where in rlm_example it tells me how to create all the stuff to integrate my own module. I get that I'm going to have to create a slightly modified 'clone' of rlm_chap, and it's going to have to have it's own header file and makefile (for right now I'll refer to my module as rlm_altchap). The makefile looks relatively easy to do, the header looks simple enough also (just has to list functions contained in my module). Now, how do I make sure that my new module is included? Is everything in the modules folder complied in with FreeRadius every time you make it? Finally, how would I also set the module to intercept any CHAP requests? I was thinking to set the Auth-Type := altCHAP. |
|
|
Re: CHAP Modification
by Alan DeKok-2
::
Rate this Message:
ChristosH wrote:
> Now, how do I make sure that my new module is included? Is everything in the > modules folder complied in with FreeRadius every time you make it? No, but the top-level Make.inc contains the list of modules to build. > Finally, how would I also set the module to intercept any CHAP requests? I > was thinking to set the Auth-Type := altCHAP. Yes. See the code in rlm_chap: it sets "Auth-Type = CHAP" for CHAP requests. You can do the same thing. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: CHAP Modification
by ChristosH
::
Rate this Message:
Thanks, problem resovled.
|
| Free embeddable forum powered by Nabble | Forum Help |
