Bill,
Well, yes, I realize that base64encoding doesn't provide much in the
way of security... But it's better than the data being completely in the
clear... I have some encryption/decryption code around here somewhere that
could probably be used, but of course the key would have to be in the code,
where it could be seen, so even that doesn't provide great security...
Paul
-----Original Message-----
From: Bill Marquette [mailto:[EMAIL PROTECTED]
Sent: Friday, August 05, 2005 11:01 AM
To: Paul Taylor
Cc: [email protected]
Subject: Re: [pfSense Support] FreeRadius Package - slight security issue
On 8/5/05, Paul Taylor <[EMAIL PROTECTED]> wrote:
> While looking through the config.xml file to see if I could spot anything
> unusual (to help me fix the last issue I posted about), I noticed the
> FreeRadius config...
>
> The problem that I saw is that the passwords are stored in clear text. I
> would think that the passwords should be at least base64encoded for
storage,
> so at least they would be as secure as the locally managed passwords,
native
> to pfSense and Monowall.
Actually, base64encoding would still be less secure (and as an
application auditor, wouldn't provide more than another 10 seconds of
delay in retrieving them) than local passwords which are one way
hashed. I don't know anything about the FreeRadius package so I can't
comment directly on what it requires or what the passwords it stores
in our config.xml are supposed to resemble.
It's an issue, I don't know how to fix it at this point as I've never
even looked at that part of code.
--Bill
--Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
