-
Notifications
You must be signed in to change notification settings - Fork 584
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implements #10415 Adds prehashed NT-Password and MD5-Password to FreeRadius config #822
Implements #10415 Adds prehashed NT-Password and MD5-Password to FreeRadius config #822
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a part of this pull request, you must increase PORTVERSION or add a PORTREVISION line in the package Makefile. Without this version increase, the package will not be rebuilt to include the new change.
Done. I've incremented the PORTREVISION in the Makefile as this is a minor change. |
To improve security provide an option to avoid storing users' radius passwords in plaintext. Tested using an openwrt access point as a client with the opnsense freeradius plugin set to use PEAP. Compare: pfsense/FreeBSD-ports#822
To improve security provide an "advanced" option to avoid storing users' radius passwords in plaintext. The default behaviour is unchanged. Tested using an openwrt access point as a client with the opnsense freeradius plugin set to use PEAP. Compare: pfsense/FreeBSD-ports#822
* net/freeradius: Support NT hash of user password To improve security provide an "advanced" option to avoid storing users' radius passwords in plaintext. The default behaviour is unchanged. Tested using an openwrt access point as a client with the opnsense freeradius plugin set to use PEAP. Compare: pfsense/FreeBSD-ports#822 * net/freeradius: Bump user model version To reflect NT password hash change. --------- Co-authored-by: Stuart McLaren <stuart-mclaren@users.noreply.github.com>
Major Changes: - jail: Fix pkgbase jail creation Syntax is now: -m pkgbase=latest -U https://url... - image: Fix setting hostname when crossbuilding images - Support overlays by using PKGCATEGORY rather than CATEGORIES - testport/bulk -i: Fix for recent motd and root shell changes - testport/bulk -i: Support ${INTERACTIVE_SHELL} (sh or csh) - New test framework changes / 77 new tests (36 pkgbuild tests) - More shell builtins, a lot of framework updates, runtime asserts, some form of stack traces on errors - cpdup support for copy_file_range(2) - bulk: Add MUTUALLY_EXCLUSIVE_BUILD_PACKAGES (prevent rust+gcc+llvm building concurrently) - bulk build queue major rework - package fetch fixes for ABI - jail -l: Show __FreeBSD_version - bulk: Add FORCE_REBUILD_PACKAGES to allow rebuilding packges like pkg more easily - Web: Show git hash and overlays - Major process handling changes. No longer using pids for tracking; now using internal jobs identifiers - Blacklist/MOVED FLAVOR handling fixes - Subpackages - some fixes but incremental build remains broken - jail -c -m allbsd: removed - ports -d: -y added to not ask for confirmation - testport: don't delete /compat/linux - bulk/testport: -S removed - this was a hack. The functionality you actually want is coming in the next -devel update. See #822 on github - Allow PREFIX/poudriere.d/ports to be a symlink - QEMU error msg improvement - jail: use make.conf in jail creation
Implements Feature #10415.
These changes expose the option to use 'NT-Password' in FreeRADIUS. This provides the user an option to use hashed passwords with more Authentication protocols including the commonly used EAP-MSCHAPv2. Currently FreeRADIUS in pfSense only exposes the option to use 'MD5-Password' (MD5 hashes) which has very limited protocol support. EAP-MSCHAPv2 users cannot use MD5-Password and must use 'Cleartext-Password' which exposes passwords to casual observation.
This feature is implemented with very few changes to the codebase, as I chose to add this option with prehashed NT Passwords, i.e. a user calculates the hash themselves (easily done with freely available tools) and enters it in the configuration. Thus this feature simply adds the "NT-Password (pre-hashed)" option to the 'Password Encryption' field in the FreeRADIUS users configuration page.
I also added a corresponding "MD5-Password (pre-hashed)" option to the 'Password Encryption' field.
Correct function of this code and be checked by examining the 'users' radius configuration file under 'View config', it should store the user/password as: "USERNAME" NT-Password := "NTHASHEDPASSWORD" or "USERNAME" MD5-Password := "MD5HASHEDPASSWORD"
I have tested use of this feature to allow hashed NT Passwords in my own pfSense firewall with EAP-MSCHAPv2 and this has been running without issue since November 2019.