Advice on RADIUS security and MD5 encryption?
We're using the pam_radius module for SSH login authentication on a CentOS 7 server. Our university's RADIUS server is a Microsoft Windows server. This seems to work well. Some of my colleagues are wary about using RADIUS for authentication because the network traffic is encrypted with the obsolete MD5 algorithm. I would like to understand if this is a relevant objection or not for the present case. The Wikipedia article https://en.wikipedia.org/wiki/RADIUS does raise some security concerns. Question: When the user's password hash is transmitted across the network, how secure is the password from decryption by eavesdroppers? Are there any good articles on RADIUS security? Thanks for sharing any insights. Ole -- Ole Holm Nielsen PhD, Senior HPC Officer Department of Physics, Technical University of Denmark
On Feb 24, 2022, at 4:39 AM, Ole Holm Nielsen via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
We're using the pam_radius module for SSH login authentication on a CentOS 7 server. Our university's RADIUS server is a Microsoft Windows server. This seems to work well.
Some of my colleagues are wary about using RADIUS for authentication because the network traffic is encrypted with the obsolete MD5 algorithm.
The real question is: "Has anyone broken the encryption method used by RADIUS?" The answer is "no".
I would like to understand if this is a relevant objection or not for the present case.
It's not relevant.
The Wikipedia article https://en.wikipedia.org/wiki/RADIUS does raise some security concerns.
Anyone can edit Wikipedia. It doesn't really mean anything.
Question: When the user's password hash is transmitted across the network, how secure is the password from decryption by eavesdroppers?
If you have a shared secret of "hello", it's easy to crack. If the shared secret of "284nv82fskljhfw9yf2hfjb3fjgf8gb83bg", then no one will be able to crack it.
Are there any good articles on RADIUS security?
Not really. In short, it's fine. Alan DeKok.
Hi Alan, Thanks very much for your definitive answers, it's much appreciated! Such clear messages are almost impossible to find elsewhere. So we should be good to go with RADIUS, provided that we use hard-to-crack shared secrets. Best regards, Ole -- Ole Holm Nielsen PhD, Senior HPC Officer Department of Physics, Technical University of Denmark
participants (2)
-
Alan DeKok -
Ole Holm Nielsen