My current radius installation permits radius daemon read-only access to /etc/shadow. But this introduces security risks. -rw-r--r-- 1 root root 6514 Nov 18 16:52 /etc/shadow I have been told to consider MySQL back-end. Is there a way to pull the existing local users/passwords in MySQL? Or I have recreate every user plus password in MySQL? Norman
Norman Zhang wrote:
My current radius installation permits radius daemon read-only access to /etc/shadow. But this introduces security risks.
Such as?
-rw-r--r-- 1 root root 6514 Nov 18 16:52 /etc/shadow
I have been told to consider MySQL back-end. Is there a way to pull the existing local users/passwords in MySQL? Or I have recreate every user plus password in MySQL?
You can manually write a program that runs as root to pull user/password information from /etc/shadow, and copy it to an SQL database. But you will be providing the RADIUS server with... access to the username && password. Which is what happens when you let it read /etc/shadow. i.e. If you're worried about letting your RADIUS server read /etc/shadow, you shouldn't be giving it *any* information about users or passwords. Alan DeKok.
Alan DeKok wrote:
Norman Zhang wrote:
My current radius installation permits radius daemon read-only access to /etc/shadow. But this introduces security risks.
Such as?
-rw-r--r-- 1 root root 6514 Nov 18 16:52 /etc/shadow
I have been told to consider MySQL back-end. Is there a way to pull the existing local users/passwords in MySQL? Or I have recreate every user plus password in MySQL?
You can manually write a program that runs as root to pull user/password information from /etc/shadow, and copy it to an SQL database.
But you will be providing the RADIUS server with... access to the username && password. Which is what happens when you let it read /etc/shadow.
i.e. If you're worried about letting your RADIUS server read /etc/shadow, you shouldn't be giving it *any* information about users or passwords.
Good point. I guess the security risk is to do with granting others +r access to /etc/shadow. Maybe I can chgrp /etc/shadow shadow and changing radius.conf to user = radius group = shadow would do the trick. Norman
Norman Zhang wrote:
Good point. I guess the security risk is to do with granting others +r access to /etc/shadow. Maybe I can
chgrp /etc/shadow shadow
and changing radius.conf to
user = radius group = shadow
would do the trick.
Which is recommended in the comments in radiusd.conf. Alan DeKok.
participants (2)
-
Alan DeKok -
Norman Zhang