I had to do a little digging, but I got md5 auth set up and working. Thanks for the help. I was more comfortable doing that than changing permissions on the /etc/shadow and dealing with modifying SELinux attributes. Thanks for the help. Ben Wiechman -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of tnt@kalik.co.yu Sent: Monday, November 05, 2007 1:15 PM To: FreeRadius users mailing list Subject: RE: Security of sql md5 vs unix auth crypt, sha etc. also won't work with PEAP. Only NT-hash. Ivan Kalik Kalik Informatika ISP Dana 5/11/2007, "Ben Wiechman" <ben@wisper-wireless.com> piše:
-----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, November 02, 2007 6:42 PM To: FreeRadius users mailing list Subject: Re: Security of sql md5 vs unix auth
Ben Wiechman wrote:
Background: we use freeradius to provide AAA for our wireless hotspots. We would also like to use radius authentication for our layer 3 switches. This brings up the question of security.
It brings up a question of limited choices.
Which is going to be more secure, md5 hashed passwords in MySQL, or storing the passwords for the switch accounts in the /etc/shadow file
It's effectively the same from a security point of view.
(I had to set the file to world readable to allow the radiusd process to read the file.).
PLEASE don't do that! The comments in radiusd.conf describe how to *properly* let the server read /etc/shadow.
Or is there another, better alternative that I just don't know about?
If you're doing PEAP for WiFi, you *can't* use MD5 or /etc/shadow passwords.
Alan DeKok. -
Ahh... I see the comments now about changing the group to shadow. With that in mind it may be better to just encrypt the password. Thanks for the pointers.
Ben
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html