1

I have read a lot about authenticating Strongswan to SQL/PAM but can't find any idea/solution how to authenticate against a database where already there are a plenty of username and password combination encrypted with bcrypt+salt. I don't know the plaintext passwords so I don't understand how to start it.

I wrote a custom Radius server (used pyrad) but it is only supports PAP, which is not a good solution in nowodays. So basically, with this solution I were able to achieve my goal, but it is really not secure. In every client I had to disable the MSCHAPv2 and enable only the PAP.

I have searched days for this, but for me it seems impossible to authenticate them without the plaintext password. Maybe i don't understand the whole process but I can't find any solution yet for my case. Tried Freeradius with my datas from SQL but the passwords are stored differently which Freeradius expects.

Can you recommend technology/idea how to achieve this?
Somehow I want to authenticate them.

Thank you!

csib
  • 13
  • 2

1 Answers1

0

Commonly used username/password-based EAP methods (like EAP-MSCHAPv2) don't work without plaintext passwords because they use a challenge-response exchange (i.e. both client and server need the plaintext password to come to the same result when using a random challenge).

While there are EAP methods that transmit a plaintext password (e.g. EAP-GTC), which could then be checked against hashes, they are not supported by many clients. There are also modern password-based authentication schemes, based on zero-knowledge proofs, for IKEv2 and EAP that don't require storing or transmitting plaintext passwords, but they have the same issue regarding support.

Please refer to one of my previous answers for details.

ecdsa
  • 3,800
  • 12
  • 26