Implements #10415 Adds prehashed NT-Password and MD5-Password to FreeRadius config #822
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jim-p
requested changes
Apr 3, 2020
|
Done. I've incremented the PORTREVISION in the Makefile as this is a minor change. |
jim-p
approved these changes
Apr 3, 2020
stuart-mclaren
added a commit
to stuart-mclaren/plugins
that referenced
this pull request
Feb 19, 2024
To improve security provide an option to avoid storing users' radius passwords in plaintext. Tested using an openwrt access point as a client with the opnsense freeradius plugin set to use PEAP. Compare: pfsense/FreeBSD-ports#822
stuart-mclaren
added a commit
to stuart-mclaren/plugins
that referenced
this pull request
Feb 19, 2024
To improve security provide an "advanced" option to avoid storing users' radius passwords in plaintext. The default behaviour is unchanged. Tested using an openwrt access point as a client with the opnsense freeradius plugin set to use PEAP. Compare: pfsense/FreeBSD-ports#822
fichtner
pushed a commit
to opnsense/plugins
that referenced
this pull request
Mar 29, 2024
* net/freeradius: Support NT hash of user password To improve security provide an "advanced" option to avoid storing users' radius passwords in plaintext. The default behaviour is unchanged. Tested using an openwrt access point as a client with the opnsense freeradius plugin set to use PEAP. Compare: pfsense/FreeBSD-ports#822 * net/freeradius: Bump user model version To reflect NT password hash change. --------- Co-authored-by: Stuart McLaren <stuart-mclaren@users.noreply.github.com>
netgate-git-updates
pushed a commit
that referenced
this pull request
Apr 20, 2024
Major Changes:
- jail: Fix pkgbase jail creation
Syntax is now: -m pkgbase=latest -U https://url...
- image: Fix setting hostname when crossbuilding images
- Support overlays by using PKGCATEGORY rather than CATEGORIES
- testport/bulk -i: Fix for recent motd and root shell changes
- testport/bulk -i: Support ${INTERACTIVE_SHELL} (sh or csh)
- New test framework changes / 77 new tests (36 pkgbuild tests)
- More shell builtins, a lot of framework updates, runtime asserts,
some form of stack traces on errors
- cpdup support for copy_file_range(2)
- bulk: Add MUTUALLY_EXCLUSIVE_BUILD_PACKAGES (prevent rust+gcc+llvm
building concurrently)
- bulk build queue major rework
- package fetch fixes for ABI
- jail -l: Show __FreeBSD_version
- bulk: Add FORCE_REBUILD_PACKAGES to allow rebuilding packges like
pkg more easily
- Web: Show git hash and overlays
- Major process handling changes. No longer using pids for tracking;
now using internal jobs identifiers
- Blacklist/MOVED FLAVOR handling fixes
- Subpackages - some fixes but incremental build remains broken
- jail -c -m allbsd: removed
- ports -d: -y added to not ask for confirmation
- testport: don't delete /compat/linux
- bulk/testport: -S removed - this was a hack. The functionality you
actually want is coming in the next -devel update. See #822 on
github
- Allow PREFIX/poudriere.d/ports to be a symlink
- QEMU error msg improvement
- jail: use make.conf in jail creation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implements Feature #10415.
These changes expose the option to use 'NT-Password' in FreeRADIUS. This provides the user an option to use hashed passwords with more Authentication protocols including the commonly used EAP-MSCHAPv2. Currently FreeRADIUS in pfSense only exposes the option to use 'MD5-Password' (MD5 hashes) which has very limited protocol support. EAP-MSCHAPv2 users cannot use MD5-Password and must use 'Cleartext-Password' which exposes passwords to casual observation.
This feature is implemented with very few changes to the codebase, as I chose to add this option with prehashed NT Passwords, i.e. a user calculates the hash themselves (easily done with freely available tools) and enters it in the configuration. Thus this feature simply adds the "NT-Password (pre-hashed)" option to the 'Password Encryption' field in the FreeRADIUS users configuration page.
I also added a corresponding "MD5-Password (pre-hashed)" option to the 'Password Encryption' field.
Correct function of this code and be checked by examining the 'users' radius configuration file under 'View config', it should store the user/password as: "USERNAME" NT-Password := "NTHASHEDPASSWORD" or "USERNAME" MD5-Password := "MD5HASHEDPASSWORD"
I have tested use of this feature to allow hashed NT Passwords in my own pfSense firewall with EAP-MSCHAPv2 and this has been running without issue since November 2019.