Using SHA1 user password fields in freeradius radius server

Question

I have proprietary web application which stores user password in form of sha1$79b2c$b3704ec5703ef28ded379cf6c6de4c4160aa029b. This is a salted sha1 hash.

1. I want to use this presaved information for freeradius as well. Crypt-Password attribute is defined in radius but AFAIK it is just md5 hash of the password. I tried this but this didnt work as I expect. How can I use the same ceredentials for user validating in freeradius? Is it possible to run some script and accept accrding to its return value?

2. If I change the propietary web application to save user credntials on another form, what should I choose to be compatible with Freeradius? EXcept for Cleartext and MD5.

Answer 1

I have found how to do for the question part b:

The form sha1$79b2c$b3704ec5703ef28ded379cf6c6de4c4160aa029b has parts as: sha1$SALT$SALTEDPASSWORD

In Radius this is named as SSHA-Password Ref: http://www.packtpub.com/article/freeradius-authentication-storing-passwords Ref: http://freeradius.org/radiusd/man/rlm_pap.txt

1- Use the script in Ref1 to create a Salted SHA1 hash. prop-to-ssha.pl UserClearPass SALT

Output of this can be assgined to the attribute

SSHA-Password := OUTPUTOFPERLSCRIPT

And this works. I can automate my proprietary aplication and also create a radius password entry while creating users.

For part a of the question, I have no answers yet.

Answer 2

This works in Java

// Salted SHA1 with a random salt appended
String salt = UUID.randomUUID().toString().replaceAll("-", "");
hashPass = Base64.encodeBase64String(ArrayUtils.addAll(
                                DigestUtils.sha1(currPass.concat(salt)),
                                                salt.getBytes()));

You can now add 'hashPass' in RadCheck table with 'SSHA-Password' attribute. Base64 and DigestUtils are from Apache Commons.