How can Freeradius detect if the password provided is right when only the salted hash is stored



  • I am discovering both Freeradius and the password hashing mechanism. I built a database (in MySQL) to store the passwords of some users. I have a user with the password in clear text, another one hashed in SHA256 without salt and the last one hashed in SHA256 and salted.

    I used this script to create the salted hash : https://gist.github.com/bestrocker221/f506eee8ccadc60cab71d5f633b7cc07

    When I am testing the connexion to the radius server (with the command radtest and with another computer running ubuntu), all of the accounts can be accessed.

    Here is the database content : (Each user have the same password, "passroot")

    mysql> select * from radcheck;
    | id | username | attribute         | op | value
    |  1 |   user1  |Cleartext-Password | := | passroot
    |  2 |   user2  |SHA2-Password      | := | ef653cafdcaf5b3733c7c5aa24b781c5c952618642efd2abc04b9c6efccac8258bc84a881850d9ffa8e6c91953c8ca7613f49dea007ae6437ccf26b8f10fadfb
    |  4 |   toto   |SSHA2-256-Password | := | /F8Bymi/qgL4rQHP9C+8jDciSLmr/PZEc5JJNoCwRelzZWxkZW1lcg==
    

    The authentication with the account using the salt method is working :

    root@Principale:"/share# radtest toto passroot 192.168.150.1 1812 passroot
    Sent Access-Request Id 117 from 0.0.0.0:39617 to 192.168.150.1:1812 length 74
    User-Name = "toto"
    User-Password = "passroot"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 1812
    Message-Authenticator = 0x00
    Cleartext-Password = "passroot"
    Received Access-Accept Id 117 from 192.168.150.1:1812 to 192.168.150.1:39617   length 20
    
    root@Principale:"/share# tail /var/log/freeradius/radius.log
    Tue May 4 16:32:07 2021 : Info: Need 7 more connections to reach 10 spares
    Tue May 4 16:32:07 2021 : Info: rlm_sql (sql): Opening additional connection (42), 1 of 29 pending _slots used
    Tue May 4 16:32:07 2021 : Auth: (164) Login OK: [toto/passroot] (from client test port 1812)
    root@Principale:"/share#
    

    I don't understand how freeradius can match the password provided by the user to the salted hash stored in the database when he doesn't know the salt I used.



  • The hash and salt are both in the value column. After Base64 decoding, the first 32 bytes are the hash, and the rest is the salt (in your case, it's the ASCII string seldemer).



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2