Firstly these are not my servers, or my department. My roll is limited to provisioning the radius server. I did suggest restricted access sudo etc and that didn't fly. I was asked what the implications of the shared secret being visible are, and if there is a way to obfuscate it. I will forward on this commentary to the relevant persons and leave it with them. Thanks G On Sun, Nov 20, 2011 at 4:35 AM, John Dennis <jdennis@redhat.com> wrote:
On 11/18/2011 07:33 PM, Gregory Machin wrote:
Hi. We are using using PAM to authenticate users against Freeradius, an that is working well. The problem is that the users are 3rd party developers and some need root access. The issue we have is that the radius secret is stored in clear text file. How can this be hidden so that is can be misused ?
Is there a document on hardening Freeradius ?
Giving 3rd party users root access to servers with sensitive information is dumb. Nothing is protected once you have root. You need to seriously reconsider why anybody except a trusted small group of admins need root.
I can't seriously believe you're asking a question about hardening after declaring you intend to give root away. The very first rule of hardening is to restrict root access, all hardening efforts are a complete waste of time once root is compromised.
-- John Dennis <jdennis@redhat.com>
Looking to carve out IT costs? www.redhat.com/carveoutcosts/