Hiding "secret" used in for PAM authentication
p.mayers at imperial.ac.uk
Sat Nov 19 11:38:44 CET 2011
On 11/19/2011 12:26 AM, Gregory Machin wrote:
> We are using using PAM to authenticate users against Freeradius, an
> that is working well. The problem is that the users are 3rd party
> developers and some need root access. The issue we have is that the
> radius secret is stored in clear text file. How can this be hidden so
> that is can be misused ?
There's no way within FreeRADIUS. The secret must be in plaintext, in
order to be used.
If you don't trust the users, you shouldn't give them root access.
I suppose it might be possible to use a MAC system like SELinux to
confine the untrusted parties into a domain which can't read the
FreeRADIUS config files, but can do everything else - but it would be
Basically - you can't hide things from root.
More information about the Freeradius-Users