On Tue, 23 Jul 2024, Alan Smith via Freeradius-Users wrote:
A project I am working on does not allow storage of plain text passwords in the config file. That is why. On Tuesday, 23 July 2024 at 09:39:41 pm SGT, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 23, 2024, at 1:12 AM, Alan Smith via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
How may I encrypt the password used in Connection info in SQL module? Kindly advise. Thanks.
What problem would that solve?
Think about it for a bit. The server has to be able to decrypt that password somehow. So where is the decryption key stored? How can the server get access to it?
It depends on the details of your system. 1) if radius daemon and MySQL daemon reside on the same host you can use Unix access control and base it on UID. 2) if your system has some kind of hardware key escrow device, store the credentials in that 3) Store the password in an encrypted form and have the radius daemon prompt the user for the decrypt key at startup (or retrieve it from some kind of key escrow service, think "ssh-agent" like structure). 4) if your MySQL server supports some other kind of authentication mechanism (EG GSSAPI) use that instead of passwords. 5) ask other people in your organization how they're handling this particular mandate. Good luck, aint bureaucracy fun... -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{