On 11/19/2011 12:26 AM, Gregory Machin wrote:
Hi. We are using using PAM to authenticate users against Freeradius, an that is working well. The problem is that the users are 3rd party developers and some need root access. The issue we have is that the radius secret is stored in clear text file. How can this be hidden so that is can be misused ?
There's no way within FreeRADIUS. The secret must be in plaintext, in order to be used. If you don't trust the users, you shouldn't give them root access. I suppose it might be possible to use a MAC system like SELinux to confine the untrusted parties into a domain which can't read the FreeRADIUS config files, but can do everything else - but it would be tricky. Basically - you can't hide things from root.