[Fedora-directory-users] NT Password Hash Storage
Craig White
craigwhite at azapple.com
Fri Jan 13 22:10:54 UTC 2006
On Fri, 2006-01-13 at 12:35 -0500, Roger Spencer wrote:
> I'm working on getting wireless network clients to do authentication via
> radius plugged into Fedora DS. Windows will do PEAP for authentication,
> which encrypts the mschapv2 password check. FreeRadius supports this
> and all works well, except...
>
> For Radius to do mschapv2, using Fedora DS, the NT hash of the password
> must be in the directory. It cannot use the regular user's password.
>
> I used a perl script to hash a password and put it in a user's entry,
> using ntusercomment (for lack of finding a better field), told
> FreeRadius that ntusercomment is the NT-Password field it's looking for,
> and I was able to successfully authenticate from a Windows box over the
> wireless card using WAP. Obviously this is not a good long term solution.
>
> 1) Does anyone know of a better way to store NT password hashes in the
> directory?
>
> 2) Is there a way to update the hash when the user changes their
> password? Maybe have DS call a perl script when a password change occurs?
>
> 3) Is there a better way of doing this?
>
----
I am unclear how you are doing authentication by Windows users to the
network in a normal login...via AD?
anyway, my inclination is to setup Fedora-DS to use samba schema
http://directory.fedora.redhat.com/wiki/Howto:Samba
as that would give you a sambaNTPassword attribute which is normally the
hashed password as expected but how that relates to question
#2...updating the hash when the user changes their password...I suppose
that would depend upon the chain of events that occur where/when the
user changes their password...how is this information going to be sent
to fedora-ds?
Craig
More information about the Fedora-directory-users
mailing list