Hi,
> 2. what is the best way to have encrypted transport
> and encrypted passwords?
It depends on what you mean by encryption. Of course you
can encrypt stuff by some symmetric encryption method and
store the key to get the cleartext from the encrypted text
somewhere (e.g. radius secrets), but that essentially means
the password is protected just by another password which
is somewhat pointless.
So, the term "encrypted" password as its used in normal conversation
is just missleading. It normally really means "something which
allows you to check correctness of the password, but doesn't
allow you to get back to the password, no matter what". Typically,
it's a hashed password or a challenge-response protocol or something
similar, _not_ an enrypted password.
In that sense, you can have _either_ encrypted transport (i.e. the
server sends a challenge and the client encrypts the challenge
using the password as encryption key), then the server needs to
know the password to verify the correctness ((MS-)CHAP protocols).
_Or_ you can transfer the password ("unencrypted" transport)
and let the server check that it can be hashed to the correct
value (PAP-protocol).
However, you cannot avoid the need to _either_ actually
transfer the password in every authentication _or_ have the
server always know the password.
Of course, if you decide to transfer the password, you can
add some protection such that not everybody sniffing the
conversation can immediately read it (that's what the radius
secret is used for in the conversation between AP and radius server,
conversation between client and AP is the more vulnerable part,
though).
And just the same, if you decide to store in on the server, you
can add some protection such that not everybody sniffing on your
local network can easily read it (e.g. putting it on a local
disk instead of transporting it via NFS/Samba/whatever or
putting it in an encrypted file or putting it in a file readable
by root only and what ever else you can come up with).
Regards,
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
