This whole argument is pointless. If this is really this big of a problem you have these choices:
1. Dont use freeradius and use a seperate server where you will be entering these configs in _PLAIN TEXT_ as well. 2. Dont use pfSense Scott On 8/5/05, Paul Taylor <[EMAIL PROTECTED]> wrote: > > Bill, > > Sure, if someone gets a hold of the config.xml file, no amount of > base64encoding will stop them from getting a password.. But, if someone is > in the same room with you looking over your shoulder while you are looking > through the config.xml file, there is no need to give them a clear view of > usernames and passwords. > > In a corporate environment, people can walk by your office or cube any > time... We have found ourselves in this very situation more than once... > Having passwords in a file that we were working on in clear text, when > someone unexpectedly dropped by.. In our situation, we are pretty > out-of-the-way, but in most corporate environments, that just isn't the > case... People are crammed in cubes right next to each other, and they > might not even be doing related jobs. > > Paul > > > -----Original Message----- > From: Bill Marquette [mailto:[EMAIL PROTECTED] > Sent: Friday, August 05, 2005 11:17 AM > To: Paul Taylor > Cc: support@pfsense.com > Subject: Re: [pfSense Support] FreeRadius Package - slight security issue > > On 8/5/05, Paul Taylor <[EMAIL PROTECTED]> wrote: > > Bill, > > > > Well, yes, I realize that base64encoding doesn't provide much in > the > > way of security... But it's better than the data being completely in the > > clear... I have some encryption/decryption code around here somewhere > that > > could probably be used, but of course the key would have to be in the > code, > > where it could be seen, so even that doesn't provide great security... > > And I disagree. base64encoding provides zero security. Obscuring the > data is no excuse for real protection. If we can protect it the right > way (a one way hash), we will. Anything less than a one-way hash > means it's reversible, passwords shouldn't be reversible in any way > shape or form - I'd rather have glaring plaintext passwords reminding > me to do something about them than something that at first glance > passes muster. I'll personally back out any commit that does a > half-ass job at it (not that I expect anyone to make such a commit). > > Don't hand out your config.xml and you'll be fine. > > --Bill > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
