Debian – How to encrypt user password in Freeradius

debianfreeradius

I recently set up a freeradius server and would like to change the user password that is presently in cleartext to encrypted in the /etc/freeradius/3.0/users file.

This is what it looks like on the server.

When I authenticate on the server, I can see the username and password in the /var/log/freeradius/radius.log file. How can I get it encrypted? I'm using Debian.

Best Answer

Here is the list of attributes coresponding to the hashing method : https://freeradius.org/radiusd/man/rlm_pap.txt

Header          Attribute           Description
------          ---------           -----------
{clear}         Cleartext-Password  Clear-text passwords
{cleartext}     Cleartext-Password  Clear-text passwords
{crypt}         Crypt-Password      Unix-style "crypt"ed passwords
{md5}           MD5-Password        MD5 hashed passwords
{base64_md5}    MD5-Password        MD5 hashed passwords
{smd5}          SMD5-Password       MD5 hashed passwords, with a salt
{sha}           SHA-Password        SHA1 hashed passwords
                SHA1-Password       SHA1 hashed passwords
{ssha}          SSHA-Password       SHA1 hashed passwords, with a salt
{sha2}          SHA2-Password       SHA2 hashed passwords
{sha224}        SHA2-Password       SHA2 hashed passwords
{sha256}        SHA2-Password       SHA2 hashed passwords
{sha384}        SHA2-Password       SHA2 hashed passwords
{sha512}        SHA2-Password       SHA2 hashed passwords
{ssha224}       SSHA2-224-Password  SHA2 hashed passwords, with a salt
{ssha256}       SSHA2-256-Password  SHA2 hashed passwords, with a salt
{ssha384}       SSHA2-384-Password  SHA2 hashed passwords, with a salt
{ssha512}       SSHA2-512-Password  SHA2 hashed passwords, with a salt
{nt}            NT-Password         Windows NT hashed passwords
{nthash}        NT-Password         Windows NT hashed passwords
{md4}           NT-Password         Windows NT hashed passwords
{x-nthash}      NT-Password         Windows NT hashed passwords
{ns-mta-md5}    NS-MTA-MD5-Password Netscape MTA MD5 hashed passwords
{x- orcllmv}    LM-Password         Windows LANMAN hashed passwords
{X- orclntv}    NT-Password         Windows NT hashed passwords

Don't forget that the protocol and method you are using to authenticate your client will affect wich method of hashing you can use.

You can find a table I used to configure my Freeradius server for the protocol and password compatibility : http://deployingradius.com/documents/protocols/compatibility.html

To generate a sha256 salted password, I used the following script on github (you need to edit the last 2 lines to change the password and the salt) : https://gist.github.com/bestrocker221/f506eee8ccadc60cab71d5f633b7cc07

Best Answer

Related Solutions

FreeRADIUS – Accept Any Password for One User Only

Related Topic