[Help-gnu-radius] Plain passwords in the SQL storage or howto: GNU Radius + SQL + CHAP auth

[Michael Samanov]

Hi!

What a good morning/day/night/etc!!! Isn't it? Let's make it yet better :-)

1) There is a feature of GNU Radius: if we choose SQL database storage then
all the passwords have to be stored in encrypted form. Why? It kills at once
the possibility to authorize client's CHAP requests. Am I right? Please,
correct me if I'm wrong. But if it's so, maybe it will be good to permit the
plain passwords in the SQL storage? Let the system administrators be allowed
to compromise their user's whole password table in an easy way :-)

2) Yet another suggestion: detect automatically whether the password is
encrypted or isn't. One of the possible ways is LDAP's /* OpenLDAP's
(http://www.openldap.org/) only? */. The encrypted/hashed passwords have the
special prefix such as "{crypt}" or "{md5}" or something. Here's an example
of such password (my system's crypt is md5):

{crypt}$1$5QI1gwUx$Gm.2vCAitu6dlov.3cU/5/

By this way we'll be able to mix freely plain and encrypted passwords.

3) The third way is to implement the "auth_query_plain" query in addition to
the "auth_query". Radius daemon may check any of them or both in the order
determined by something or somebody. It is the way that's used by Courier
MTA (http://www.Courier-MTA.org/).

Sincerely yours,
  Michael (mailto:address@hidden)