Hi, > I'm attempting to use freeradius to authenticate wireless network in my > organisation, using self-signed certificates.� > I have installed freeradius 2.1.10 from debian 6 repository, set up basic > configuration according to instructions on [1]freeradius.org site, finally > I've configured freeradius to use mysql. > It seems to work properly, but i wonder if it is safe to keep user > password and client secret in plaintext? I searched the lists and googled > a bit, but I can't find any information regarding this case.� > So: > 1 - is there a way (or sense) to hash shared secret in my database? > 2 - Can I hash user passwords if I'm using eap-tls? > 2a - if I'm using certificates for authentication, do I actually need to > keep user passwords? Cause it seems that they aren't used during > authentication (or I didn't find that part during debuging)
depends on many things. how paranoid are you? what sort of security level does this server have? is the MySQL on a seperate server from the FR daemon? is the SQL connection encrypted? and more. you can hash (salted please!) the passwords so that they are not readable.... but if someone has that sort of access to the DB then might they not already be inserting their own user/pass for access? security by obscurity isnt the best way....being worried about such a thing and being more secure and paranoid about security over the server/system might be a better way :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
