Keeping plain-text shared secret and user passwords in sql
jazdatestowa at gmail.com
Wed Nov 16 13:22:18 CET 2011
Thanks Alan, Sven.
SQL server is on the same virtual machine with freeradius. I'm also
creating a web application to manage users, certificates, server settings
etc - it will be hosted on the same machine.
I just thought that keeping ANY passwords ANYWHERE in plaintext form is not
a good idea. But then again, if someone gains access to my server then in
fact he could do anything and password would not matter.
> 2 - Can I hash user passwords if I'm using eap-tls?
> > 2a - if I'm using certificates for authentication, do I actually need to
> > keep user passwords? Cause it seems that they aren't used during
> > authentication (or I didn't find that part during debuging)
> If 2a, then no, as the certificate is the only needed credential of a
> user/system, no username/password involved.
Thats good and bad.
- Good, cause it simplifies initial implementation a bit.
- Bad, because I was counting i could do something like double
authentication - user/password after cert verification.
But in that case, is there any way to 'disable' users key in case i don't
want him to access my network?
What if I need to generate new user certificate as a replacement to the old
one that has been lost/stolen etc?
I can give 'Expiration' attribute to the account, but that doesn't solve
the case, as I want to give the same user a new key.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Users