I just thought that keeping ANY passwords ANYWHERE in plaintext form is not a good idea. But then again, if someone gains access to my server then in fact he could do anything and password would not matter.
> 2 - Can I hash user passwords if I'm using eap-tls?
> 2a - if I'm using certificates for authentication, do I actually need to
> keep user passwords? Cause it seems that they aren't used during
> authentication (or I didn't find that part during debuging)
If 2a, then no, as the certificate is the only needed credential of a
user/system, no username/password involved.
Thats good and bad.
- Good, cause it simplifies initial implementation a bit.
- Bad, because I was counting i could do something like double authentication - user/password after cert verification.
But in that case, is there any way to 'disable' users key in case i don't want him to access my network?
What if I need to generate new user certificate as a replacement to the old one that has been lost/stolen etc?
I can give 'Expiration' attribute to the account, but that doesn't solve the case, as I want to give the same user a new key.
Any ideas?