On 10/23/07, Alan DeKok <aland@deployingradius.com> wrote:
preem wrote:
> So, what is a common practice to do this then?
It's not.
People store MD5 or crypt'd passwords when the ONLY authentication
they're doing is PAP. i.e. Unix logins, where the user supplies a
clear-text password to the authentication system.
And PAP is not very safe and smart way to go as i read it.
For many EAP types, people do NOT store MD5 or crypt'd passwords,
because they're useless.
So, crypted passwords are usefull only in web applications? I read a lot lately about, how one should never store passwords in clear text, i guess that applies only to web apps.
> I understand its not very
> safe nor sane to store passwords in clear text, thats why I wanted to avoid
> that, however it seems inevitable.
It is safe, sane, and common practice to store passwords in clear text.
I do not have many experience with this, in fact its my first project on the matter.
> I am managing a wired network for some 300 users, its a student dorm and the
> university owns the network and they require authentication for the ease of
> management and control. 802.1x felt like the right way to go, because we are
> planning some wireless access points as well. There are HP's Procurve 2650
> switches in use. I choose mysql db backend, because I also created set of
> PHP scripts, where users can change their passwords and admin can
> add/del/modify user info.
> So what can one do to avoid storing passes in clear text or is it sane
> enough? The server also serves some web pages and dhcp requests.
Ensure that no one has physical access to the system storing the
passwords. Ensure that no one has network access to the system storing
the passwords.
That will be no problem, since I'm the only one with physical access.
I would also suggest running the RADIUS server and/or the MySQL server
with passwords on a separate machine from the web/dhcp server. That
way, if someone breaks into the web server, they won't have access to
the passwords.
I am using VMWare server, so that won't require much work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks again, for clearing this up.
primski