Secure auth methods pam_radius
Bob Probert
bruisebrotherprobert at gmail.com
Tue Dec 3 20:57:46 CET 2013
Alan and Arran,
Thanks for your response.
The security of Radius has been questioned on a number of occasions, it not
out of line to question it on the Radius Users mailing list.
On Tue, Dec 3, 2013 at 10:11 AM, Alan DeKok <aland at deployingradius.com>wrote:
> Bob Probert wrote:
> > In my understanding RADIUS provides security in the form of an MD5 hash
> > -- not ideal.
>
> I said RADIUS secures the password. I meant that.
>
> It helps to understand the system before trying to fix it.
>
> > Has RADSEC been implemented for this PAM module? If not, how is the
> > community sanitizing this traffic? IPSEC? STUNNEL?
>
> You're asking the wrong questions. Your questions are based on a
> false assumption: that the password is insecure in normal RADIUS.
>
> There is no evidence to believe that this is true.
>
> If you want the traffic to be *more* secure, set the RADIUS server to
> be 127.0.0.1, and run a RADIUS proxy on the local machine. It can then
> do RadSec to anywhere you want.
>
> Or, you can configure IPSec, so that the RADIUS PAM module
> communicates with the RADIUS server over a network secured by IPSec.
>
> Both solutions require *zero* changes to the PAM module. All they
> require is a little knowledge of networking.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131203/224b70c2/attachment.html>
More information about the Freeradius-Users
mailing list