I am discovering both Freeradius and the password hashing mechanism. I built a database (in MySQL) to store the passwords of some users. I have a user with the password in clear text, another one hashed in SHA256 without salt and the last one hashed in SHA256 and salted.
I used this script to create the salted hash : https://gist.github.com/bestrocker221/f506eee8ccadc60cab71d5f633b7cc07
When I am testing the connexion to the radius server (with the command radtest
and with another computer running ubuntu), all of the accounts can be accessed.
Here is the database content : (Each user have the same password, "passroot")
mysql> select * from radcheck;
| id | username | attribute | op | value
| 1 | user1 |Cleartext-Password | := | passroot
| 2 | user2 |SHA2-Password | := | ef653cafdcaf5b3733c7c5aa24b781c5c952618642efd2abc04b9c6efccac8258bc84a881850d9ffa8e6c91953c8ca7613f49dea007ae6437ccf26b8f10fadfb
| 4 | toto |SSHA2-256-Password | := | /F8Bymi/qgL4rQHP9C+8jDciSLmr/PZEc5JJNoCwRelzZWxkZW1lcg==
The authentication with the account using the salt method is working :
root@Principale:"/share# radtest toto passroot 192.168.150.1 1812 passroot
Sent Access-Request Id 117 from 0.0.0.0:39617 to 192.168.150.1:1812 length 74
User-Name = "toto"
User-Password = "passroot"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "passroot"
Received Access-Accept Id 117 from 192.168.150.1:1812 to 192.168.150.1:39617 length 20
root@Principale:"/share# tail /var/log/freeradius/radius.log
Tue May 4 16:32:07 2021 : Info: Need 7 more connections to reach 10 spares
Tue May 4 16:32:07 2021 : Info: rlm_sql (sql): Opening additional connection (42), 1 of 29 pending _slots used
Tue May 4 16:32:07 2021 : Auth: (164) Login OK: [toto/passroot] (from client test port 1812)
root@Principale:"/share#
I don't understand how freeradius can match the password provided by the user to the salted hash stored in the database when he doesn't know the salt I used.