1 (edited by rhollan 2010-07-23 09:31:57)

Topic: Adding NT/LM passwords and synching them with existing ones

Is this possible:

1) Add NT/LM hashes to the user records by importing the necessary (say samba) schema, and regenerating passwords for all users.

2) Keep existing password and NT/LM hashes in sync when passwords are changed.

Alternately, move toward NT/LM hashes.

Here's why:

In addition to using iRedMail for mail, I am also using it for authenticating other services via additional attributes for some users. In particular, I'd like it to authenticate wireless access via WPA2/Enterprise using EAP-PEAP with the usual Microsoft MSCHAPv2 authentication which requires the password database to store .... NT/LM hashes of the password.

Alternately, does anyone know if I can I force Windows EAP-PEAP clients to use PAP inner authentication? (Yeah, that is vulnerable to a dictionary attack, but so is any password scheme). EAP-PEAP allows this in theory, but I don't know if Windows clients support it.

On Edit: it looks like it should be easy to add LM and NTLM hashing of the password along with the existing hashing. Then email users could be used for MSCHAPv2 authentication.