问题描述
我无法弄清楚如何编辑this Radius MSCHAPv2 example并从radius客户端获取密码。我正在使用的go库是https://github.com/layeh/radius。
MSCHAPv2是否发送带有密码的用户名?如何从客户端到服务器获取密码?
function show_table($tabela)
{
$conexao=conectadb('venda');
$sql = "DESCRIBE $tabela";
$result = $conexao->query($sql);
while ($coluna = $result->fetch_assoc())
{
echo "<p>".$coluna['Field']." - ";
echo $coluna['Type']."</p>";
}
我使用以下命令编辑了函数的顶部
package microsoft
import (
"log"
"reflect"
"layeh.com/radius"
"layeh.com/radius/rfc2759"
"layeh.com/radius/rfc2865"
"layeh.com/radius/rfc2868"
"layeh.com/radius/rfc2869"
"layeh.com/radius/rfc3079"
)
const (
radiusSecret = "secret"
)
func RunRadiusServer() {
handler := func(w radius.ResponseWriter,r *radius.Request) {
username := rfc2865.UserName_GetString(r.Packet)
challenge := MSCHAPChallenge_Get(r.Packet)
response := MSCHAP2Response_Get(r.Packet)
// TODO: look up user in local database.
// The password must be stored in the clear for CHAP mechanisms to work.
// In theory,it would be possible to use a password hashed with MD4 as
// all the functions in MSCHAPv2 use the MD4 hash of the password anyway,// but given that MD4 is so vulerable that breaking a hash is almost as
// fast as computing it,it's just not worth it.
password := "password-from-database"
if len(challenge) == 16 && len(response) == 50 {
// See rfc2548 - 2.3.2. MS-CHAP2-Response
ident := response[0]
peerChallenge := response[2:18]
peerResponse := response[26:50]
ntResponse,err := rfc2759.GenerateNTResponse(challenge,peerChallenge,username,password)
if err != nil {
log.Printf("Cannot generate ntResponse for %s: %v",err)
w.Write(r.Response(radius.CodeAccessReject))
return
}
if reflect.DeepEqual(ntResponse,peerResponse) {
responsePacket := r.Response(radius.CodeAccessAccept)
recvKey,err := rfc3079.MakeKey(ntResponse,password,false)
if err != nil {
log.Printf("Cannot make recvKey for %s: %v",err)
w.Write(r.Response(radius.CodeAccessReject))
return
}
sendKey,true)
if err != nil {
log.Printf("Cannot make sendKey for %s: %v",err)
w.Write(r.Response(radius.CodeAccessReject))
return
}
authenticatorResponse,err := rfc2759.GenerateAuthenticatorResponse(challenge,ntResponse,password)
if err != nil {
log.Printf("Cannot generate authenticator response for %s: %v",err)
w.Write(r.Response(radius.CodeAccessReject))
return
}
success := make([]byte,43)
success[0] = ident
copy(success[1:],authenticatorResponse)
rfc2869.AcctInterimInterval_Add(responsePacket,rfc2869.AcctInterimInterval(3600))
rfc2868.TunnelType_Add(responsePacket,rfc2868.TunnelType_Value_L2TP)
rfc2868.TunnelMediumType_Add(responsePacket,rfc2868.TunnelMediumType_Value_IPv4)
MSCHAP2Success_Add(responsePacket,[]byte(success))
MSMPPERecvKey_Add(responsePacket,recvKey)
MSMPPESendKey_Add(responsePacket,sendKey)
MSMPPEEncryptionPolicy_Add(responsePacket,MSMPPEEncryptionPolicy_Value_EncryptionAllowed)
MSMPPEEncryptionTypes_Add(responsePacket,MSMPPEEncryptionTypes_Value_RC440or128BitAllowed)
log.Printf("Access granted to %s",username)
w.Write(responsePacket)
return
}
}
log.Printf("Access denied for %s",username)
w.Write(r.Response(radius.CodeAccessReject))
}
server := radius.PacketServer{
Handler: radius.HandlerFunc(handler),SecretSource: radius.StaticSecretSource([]byte(radiusSecret)),}
log.Printf("Starting Radius server on :1812")
if err := server.ListenAndServe(); err != nil {
log.Fatal(err)
}
}
用户名正确。密码为空。用户名1。我无法对2是什么进行排序,因为它不会将字节转换为字符串。
还有一个类似的但不是特定于问题的问题here,也未正确回答。谢谢!
解决方法
这不是我特别熟悉的机制,但是我希望CHAP协议不会通过网络发送密码,因此您无法从客户端获取密码。相反,您会生成预期的响应,知道客户端应使用的密码并将其与从客户端获得的响应进行比较-如果它们匹配,则使用相同的秘密密码来生成两个响应,并且一切都很好,否则会出现不匹配的情况。某个地方,而您不授予访问权限。
,在MSCHAPv2中,客户端发送用户密码哈希。明文密码无法访问。如果需要进行身份验证-您需要从用户身份存储中获取密码,请以相同的方式对其进行哈希处理,然后比较两个散列-您的散列和从客户端获得的散列。
详细信息,客户发送:
- MSCHAP-挑战包含16字节挑战
- MSCHAP-响应包含:
- 16字节客户端挑战
- 保留8个字节
- 24字节NT响应= DesEncrypt(SHA1(客户端质询,服务器质询,用户名),MD4Hash(密码))
- 1个字节的标志“使用NT质询响应或LAN质询响应”
服务器从ID存储中获取MSCHAP-质询,客户端质询和用户密码,并计算NT响应。如果等于已收到–服务器发送访问接受,否则发送拒绝