[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Where is info about {KERBEROS} ?



any ideas for a Unix-only shop ? :-) Cisco routers, XT-Radius daemon, OpenLDAP
and no PDC.


On Mon, 15 Apr 2002, Adam Williams6 wrote:

> >>This is simply no way of getting the password back, and to be blunt, you
> >>don't want there to by any way to do that.
> >If you don't allow clear-text passwords back, how do you design a system where
> >you have a RADIUS daemon which requires the clear password to do CHAP (not PAP)
> >authentication ?
>
> Use M$-CHAPv2.  It is a challenge-response protocol but will work with an
> NT password hash (almost clear text).  If your PDC is samba with
> ldapsam then you simply design the ACL to permist the daemon (radius, ppp,
> whatever) to *read* the ntpassword attribute.   Recent pppd(s) support
> M$-CHAPv3, I don't know anything about radius.  I assume you could dig the
> NT hash out of ADS somehow, but I don't kow anything about ADS.