On Sep 26, 2019, at 1:06 PM, Dan Swartzendruber <dswartz@druber.com> wrote:
I'm trying to implement external authentication for an appliance running CentOS 7. My research turned up the easiest solution as simply installing pam_radius from the repository. I did, and it works just fine (tested against a Freeradius 3.0 server with a single test user.) Running freeradiux with '-X' indicates that is using PAP: ... For security reasons, I'd really like to use CHAP instead, but it doesn't seem to support that? The man pages and such don't mention CHAP. I went as far as downloading 1.4.0 and extracting the tarball and looking at the code. User-Password is Radius attribute 2, and looking at the source:
The pam_radius_auth module doesn't do CHAP. TBH, any "security" argument is not really relevant. The whole idea of "PAP is insecure" is a marketing checklist, not a security analysis. Alan DeKok.