On Mon, Nov 10, 2014 at 9:05 PM, Alan DeKok <aland@deployingradius.com> wrote:
E.S. Rosenberg wrote:
Which in turn links to a nice page by Alan DeKok here: http://deployingradius.com/documents/protocols/compatibility.html
Which left me asking myself 2 questions: 1. Did anything change in the past 5 years, is there any decently supported protocol that does support hashed passwords (other then PAP)?
MD5 etc. hasn't changed in the last 5 years. So the table (and conclusions) haven't changed either. No new EAP on the block that handles passwords stored in salted hashes?
2. How can it be that all these protocols were designed with the idea that the auth server should have a cleartext copy of the users' password, haven't we all known for years now that that's a bad idea?
Because different people have different needs. And most people don't think about RADIUS until it's too late to change their password storage method. I understand that, my question is more "How is it that the various RADIUS protocols can only work with cleartext passwords known on the RADIUS server side?" To me (someone who has been doing systemadmin/network admin/(web) development work) it seems like the most obvious thing in the world that I don't want my users passwords to be stored anywhere where me/any of my co-workers can get to them in cleartext and since root can get everywhere that means cleartext passwords belong nowhere.
Now I may be naive or have never tried to develop an AUTH protocol, so I am just very curious what the arguments are to store cleartext? Regards and thanks for the quick reply, Eli
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html