Replying to two messages here...
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Alan DeKok > Sent: Wednesday, January 07, 2004 11:11 AM > To: [EMAIL PROTECTED] > Subject: Re: Free Radius and non-plain text passwords > > > "Phillip Ames" <[EMAIL PROTECTED]> wrote: > > I have been able to get Free Radius to authenticate from a router > > using CHAP. The problem with this is that the passwords are stored > > in plain text in the users file on the authentication server. > > See the FAQ. This isn't much of a problem. >From the FAQ section 4.4: ------------------------- You have 2 choices: 1. You allow CHAP and store all the passwords plaintext. Advantage: passwords don't go cleartext over the phone line between the user and the terminal server. Disadvantage: You have to store the passwords in cleartext on the server. 2. You don't allow CHAP, just PAP. Advantage: you don't store cleartext passwords on your system. Disadvantage: passwords go in cleartext over the phone line between the user and the terminal server. Now, people say CHAP is more secure. Now you decide which is more likely: - the phone line between the user and the terminal server gets sniffed and a cracker (a GOOD one) intercepts just one password - your radius server is hacked into and a cracker gets ALL passwords of ALL users. Right. Still think CHAP is more secure ? I thought so. ------------------------- Personally, I would find it more likely that the latter scenario occurs and all the passwords are now in plaintext available to the cracker. This also seems to be what the last line implies, indicating that it _is_ a problem to leave a lot of plaintext passwords lying around (or perhaps I'm just not getting the sarcasm through a text-only rendition of the FAQ). Regardless, now that I have learned about the Crypt-Password attribute, I am satisfied with how they are stored on the server user file. Is it possible that the sample "users" file could be updated to include a sample entry that uses a Crypt-Password attribute? Grep'ing the entire stock raddb/ directory shows that it is only mentioned in mssql.conf(line 102) and postgresql.conf(line 126) which is fine for database users but I think it's important enough that it should be included in the generic "users" file which most people will at least read when looking for examples. [rest of message snipped] On to message 2! > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Alan DeKok > Sent: Wednesday, January 07, 2004 11:04 AM > To: [EMAIL PROTECTED] > Subject: Re: Free Radius and non-plain text passwords (resolution) [snip] > > On a side note, I was also unable to discover anything > different between > > Auth-Type := System and Auth-Type := Local. > > There's a huge difference. Try using the *default* configuration > files as shipped, and you'll see that the users are authenticated > against /etc/passwd, for Auth-Type = "System". Read the default > "users" file. It explains this. Thank you for pointing that out, I didn't see that previously. -Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
