John Dennis wrote:
On 08/26/2009 04:16 AM, Rachid Zarouali wrote:
Hello Dimitri,
I'll try to answer your questions the best i can :-)
Basically we plain to use the ldap ipa password.
at first we want to use radius for authentication only.
i'm not sure about what you call outer/inner methods :(
the base of the authentication is the project is the ipa ldap
on which we try to connect a freeradius server which is used to
authenticate admin's on router/firewall .
am i clear ?
If it's just admin access on a router/firewall I don't see a problem
at the moment. You should be able to use PAP on the router/firewall,
it encrypts the plaintext password and sends it to the freeradius
server which decrypts resulting in the plaintext password. The
freeradius server would then be configured to use Kerberos, it uses
the plaintext password and obtains a TGT (i.e. it does a kinit on
behalf of the user) if this is successful the radius authentication is
successful. All this should work out of the box for both IPA and
FreeRADIUS (although you'll have to edit the FreeRADIUS config to
enable krb5).
We're not thrilled with this solution because the radius server sees a
plaintext password (although it's encrypted during transport). The
security is adequate but not ideal. Safer authentication methods
require us to do more integration work between IPA and FreeRADIUS,
which at the moment is a deferred work item.
I agree with John, PAP would most likely work in this case but as John
mentioned would not be ideal from security point of view.
Before we lock on lowest common denominator which is PAP let us see if
there is anything we can do to make it a bit more secure.
Your routers and firewalls have a set of the authentication methods they
support.
PAP is the basic method. There are also more advanced so called EAP
methods (Extensible Authentication Protocol) .
Those EAP methods usually establish a tunnel and then pass the
authentication inside this tunnel.
In the pure RADIUS case without EAP PAP will use a shared secret known
by your end point and RADIUS server to hash the password using
reversible hashing algorithm.
Shared secrets should be pretty long to avoid dictionary attacks. I
would not be comfortable with them being less then 128 bit of entropy
(random alphanumeric with punctuation 20 character shared secrets would do).
But this is still not as comfortable as SSL for example. So there is an
EAP method that allows passing your password inside the SSL encrypted
blob (PEAP). The SSL can be just a tunnel or an authenticated tunnel
(the client and server can mutually authenticate each other during the
handshake). So this would be an outer method. Inside SSL tunnel you can
pass clear text password, PAP, CHAP etc. In this case PAP will be an
inner method.
So the first step is to determine what auth methods your routes and
firewalls support. The RADIUS servers support a lot of different inner
and outer methods.
So may be PAP can be tunneled using PEAP or some other method supported
both by your routers and RADIUS server. This needs to be investigated.
When we know what the routers are capable of we would be able to advice
if there any more secure configuration than just PAP.
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
