[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Where is info about {KERBEROS} ?
any ideas for a Unix-only shop ? :-) Cisco routers, XT-Radius daemon, OpenLDAP
and no PDC.
On Mon, 15 Apr 2002, Adam Williams6 wrote:
> >>This is simply no way of getting the password back, and to be blunt, you
> >>don't want there to by any way to do that.
> >If you don't allow clear-text passwords back, how do you design a system where
> >you have a RADIUS daemon which requires the clear password to do CHAP (not PAP)
> >authentication ?
>
> Use M$-CHAPv2. It is a challenge-response protocol but will work with an
> NT password hash (almost clear text). If your PDC is samba with
> ldapsam then you simply design the ACL to permist the daemon (radius, ppp,
> whatever) to *read* the ntpassword attribute. Recent pppd(s) support
> M$-CHAPv3, I don't know anything about radius. I assume you could dig the
> NT hash out of ADS somehow, but I don't kow anything about ADS.