FreeRADIUS supports using salted hashes for user authentication but there is very little material on how to generate these OpenLDAP style hashes.
When using an SQL backend for your user management it really is useful to have an SQL statement that can create these salted hashes for you which is what this snippet provides below:
insert.sql
: adds a new user to yourradcheck
tableupdate.sql
: updates the password for an existing user in yourradcheck
table
Remember to replace the username (bob
) and password (hello
) in your prepared statements with templated parameters.
N.B. FreeRADIUS for some awful reason (there are no good reasons!) records the users plaintext password by default in radpostauth
; I strongly recommend you fix that in your local installation by editing the relevant query in /etc/freeradius/mods-config/sql/main/mysql/queries.conf
N.B. take care that your binary logs (including your replication logs) do not use a mode of operation that stores the users plaintext password on INSERT
/UPDATE
s; for example do not use statement based binary logs though mixed is okay as UUID()
will force row based logging to be utilised