<br><br><div><span class="gmail_quote">On 10/23/07, <b class="gmail_sendername">Alan DeKok</b> <<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
preem wrote:<br>> So, what is a common practice to do this then?<br><br> It's not.<br><br> People store MD5 or crypt'd passwords when the ONLY authentication<br>they're doing is PAP. i.e. Unix logins, where the user supplies a
<br>clear-text password to the authentication system.</blockquote><div><br><br>And PAP is not very safe and smart way to go as i read it. <br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
For many EAP types, people do NOT store MD5 or crypt'd passwords,<br>because they're useless.</blockquote><div><br><br>So, crypted passwords are usefull only in web applications? I read a lot lately about, how one should never store passwords in clear text, i guess that applies only to web apps.
<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">> I understand its not very<br>> safe nor sane to store passwords in clear text, thats why I wanted to avoid
<br>> that, however it seems inevitable.<br><br> It is safe, sane, and common practice to store passwords in clear text.</blockquote><div><br><br>I do not have many experience with this, in fact its my first project on the matter.
<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">> I am managing a wired network for some 300 users, its a student dorm and the
<br>> university owns the network and they require authentication for the ease of<br>> management and control. 802.1x felt like the right way to go, because we are<br>> planning some wireless access points as well. There are HP's Procurve 2650
<br>> switches in use. I choose mysql db backend, because I also created set of<br>> PHP scripts, where users can change their passwords and admin can<br>> add/del/modify user info.<br>> So what can one do to avoid storing passes in clear text or is it sane
<br>> enough? The server also serves some web pages and dhcp requests.<br><br> Ensure that no one has physical access to the system storing the<br>passwords. Ensure that no one has network access to the system storing
<br>the passwords.</blockquote><div><br><br>That will be no problem, since I'm the only one with physical access.<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I would also suggest running the RADIUS server and/or the MySQL server<br>with passwords on a separate machine from the web/dhcp server. That<br>way, if someone breaks into the web server, they won't have access to
<br>the passwords.</blockquote><div><br>I am using VMWare server, so that won't require much work.<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Alan DeKok.<br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a></blockquote><div><br><br>Thanks again, for clearing this up.<br>
<br>primski <br></div><br></div><br>