On Mon, Feb 25, 2002 at 01:18:33PM -0500, Kurt Hockenbury wrote: > Here's my situation. I have a few thousand users, and they'd like to be able > to do VPN. I have a cisco VPN box, that supports radius. I have a crypt(3) > unix passwd file, and an smbpasswd file, with entries in both for all users. > > Now I could use freeradius with PAP authentication against the crypt(3) > passwords -- but then passwords are going to be flying around in the clear, > which is no good, especially since some of those VPN users could be coming in > over a wireless connection.
Inside of the RADIUS protocol, the password is not in the clear. Choose care- fully the shared "secret" between RADIUS server and client, and change it at the same rate you expire users' passwords. Where could it be in the clear? Only at the user's keyboard, and potentially in the communication between the user and the RADIUS client. Make suer that communication between the RADIUS client and the user-controlled software is protected, if possible. (Sorry -- I don't know about Cisco's product.) > So that implies using CHAP. But I don't have plaintext passwords for these > users. Right. Without having plaintext or decryptable passwords, you can't do cryptographic authentication. Tanstaafl. Perhaps you should do PAP auth for a little while, and ask users to "change" their passwords, and when they do, store the plaintext version. > I have seen tantalizing glimpses that it may be possible use our smbpasswd > file to do MS-CHAP authentication, but I can't find any specific instructions > as to how to make this happen. An aside: A SMB password file is nearly as good as plaintext. It's trivial to extract the majority of the passwords (all fall with a little computation, but few users choose "good" passwords), though not the case of the letters. > So my question is, is this possible? And if so, can some one point me a (even > rough) instructions? Yes. The example exec-program program might give you tips about a way to implement it. There may be other ways, too. -- Chad Miller <[EMAIL PROTECTED]> <url: http://www.advogato.org/person/cmiller/> ``Having a smoking section in a restaurant is like having a peeing section in a pool.'' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
