Hello all, I would like to use the PAM Radius module to authenticate Linux servers against my Radius server. I compiled and configured the PAM module, things appear to be working, however I would like to use a more secure authentication method than PAP. Is it possible to force the PAM module to use a more secure method? What does the community endorse as the most secure authentication method for Radius. Thanks! Bob
Bob Probert wrote:
I compiled and configured the PAM module, things appear to be working, however I would like to use a more secure authentication method than PAP.
What do you mean "more secure" ? The system running PAM has the clear-text password for the user. The RADIUS server has the clear-text password for the user. The RADIUS protocol secures the password when it's sent in the network. What, exactly do you mean? Alan DeKok.
Alan, Thanks for the reply! In my understanding RADIUS provides security in the form of an MD5 hash -- not ideal. Has RADSEC been implemented for this PAM module? If not, how is the community sanitizing this traffic? IPSEC? STUNNEL? Thanks! On Tue, Dec 3, 2013 at 5:59 AM, Alan DeKok <aland@deployingradius.com>wrote:
Bob Probert wrote:
I compiled and configured the PAM module, things appear to be working, however I would like to use a more secure authentication method than PAP.
What do you mean "more secure" ? The system running PAM has the clear-text password for the user. The RADIUS server has the clear-text password for the user. The RADIUS protocol secures the password when it's sent in the network.
What, exactly do you mean?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
In my understanding RADIUS provides security in the form of an MD5 hash -- not ideal.
No, it's not an MD5 hash, an MD5 hash wouldn't be reversible.
Has RADSEC been implemented for this PAM module?
No, patches welcome. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
Bob Probert wrote:
In my understanding RADIUS provides security in the form of an MD5 hash -- not ideal.
I said RADIUS secures the password. I meant that. It helps to understand the system before trying to fix it.
Has RADSEC been implemented for this PAM module? If not, how is the community sanitizing this traffic? IPSEC? STUNNEL?
You're asking the wrong questions. Your questions are based on a false assumption: that the password is insecure in normal RADIUS. There is no evidence to believe that this is true. If you want the traffic to be *more* secure, set the RADIUS server to be 127.0.0.1, and run a RADIUS proxy on the local machine. It can then do RadSec to anywhere you want. Or, you can configure IPSec, so that the RADIUS PAM module communicates with the RADIUS server over a network secured by IPSec. Both solutions require *zero* changes to the PAM module. All they require is a little knowledge of networking. Alan DeKok.
Alan and Arran, Thanks for your response. The security of Radius has been questioned on a number of occasions, it not out of line to question it on the Radius Users mailing list. On Tue, Dec 3, 2013 at 10:11 AM, Alan DeKok <aland@deployingradius.com>wrote:
Bob Probert wrote:
In my understanding RADIUS provides security in the form of an MD5 hash -- not ideal.
I said RADIUS secures the password. I meant that.
It helps to understand the system before trying to fix it.
Has RADSEC been implemented for this PAM module? If not, how is the community sanitizing this traffic? IPSEC? STUNNEL?
You're asking the wrong questions. Your questions are based on a false assumption: that the password is insecure in normal RADIUS.
There is no evidence to believe that this is true.
If you want the traffic to be *more* secure, set the RADIUS server to be 127.0.0.1, and run a RADIUS proxy on the local machine. It can then do RadSec to anywhere you want.
Or, you can configure IPSec, so that the RADIUS PAM module communicates with the RADIUS server over a network secured by IPSec.
Both solutions require *zero* changes to the PAM module. All they require is a little knowledge of networking.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bob Probert wrote:
The security of Radius has been questioned on a number of occasions, it not out of line to question it on the Radius Users mailing list.
You're still not clear on what I was saying. It's OK to ask questions the security of RADIUS. It's less OK to ask questions and then argue with the answers. Alan DeKok.
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
Bob Probert