SQL module and credentials configured in the clear
for a myraid of purposes, i have my radius servers connect to MariaDB, and have configured mods-available/sql with the requisite user/pass credential set. i am wondering if the case can be made to add/include the option to use the keytab created and used for LDAP connectivity. having a user/pass combo in clear text on the filesystem is no-no in many organizations. per the mariadb docs, i setup gssapi and created my user and used gssapi for authentication /https://mariadb.com/kb/en/authentication-plugin-gssapi// create the user that matches what is configured in the keytab in mariadb: /create user 'radius\/server2.bpk2.com' identified via gssapi;/ note the hard quoting and escaping of the forward slash. this was the only combination that resulted in the user being successfully created for me. i authenticated with the keytab, and pulled a TGT: / [root@server1 raddb]# kinit -kt radius.keytab -p radius/server1.bpk2.com// // [root@server1 raddb]# klist// // Ticket cache: FILE:/tmp/krb5cc_0// // Default principal: radius/server1.bpk2.com@BPK2.COM// // // Valid starting Expires Service principal// // 04/28/2022 19:47:51 04/29/2022 19:47:51 krbtgt/BPK2.COM@BPK2.COM// // renew until 05/05/2022 19:47:51/ then i connected to the database using the identity: / [root@server1 raddb]# mysql -h database -u radius/server1.bpk2.com radius// // Reading table information for completion of table and column names// // You can turn off this feature to get a quicker startup with -A// // // Welcome to the MariaDB monitor. Commands end with ; or \g.// // Your MariaDB connection id is 125319// // Server version: 10.4.19-MariaDB MariaDB Server// // // Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.// // // Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.// // // MariaDB [radius]> show tables;// // +------------------------+// // | Tables_in_radius |// // +------------------------+// // .../ / MariaDB [radius]> status// // --------------// // mysql Ver 15.1 Distrib 10.4.19-MariaDB, for Linux (x86_64) using EditLine wrapper// // // Connection id: 125319// // Current database: radius// // Current user: radius/server1.bpk2.com@server1.bpk2.com/ it is entirely possible to use the keytab and connect to a properly configured mariadb instance with a keytab. can the functionality to authenticate to databases like mariadb with the keytab be added? thank you, brendan
On Apr 28, 2022, at 7:57 PM, Brendan Kearney <bpk678@gmail.com> wrote:
for a myraid of purposes, i have my radius servers connect to MariaDB, and have configured mods-available/sql with the requisite user/pass credential set. i am wondering if the case can be made to add/include the option to use the keytab created and used for LDAP connectivity. having a user/pass combo in clear text on the filesystem is no-no in many organizations.
I disagree, but people can do whatever they want on their own systems. The underlying issue is that the credentials have to go somewhere. The RADIUS server has to read the credentials from somewhere, so you're just moving the problem down one level. Or, you store the credentials in a different format (keytab, certificate, etc.) In which case an attacker who can read the local file system can still do everything that the RADIUS server can do. The only thing gained by using a keytab file is some happy thoughts that the "password" isn't stored as clear-text. But the credentials are still accessible to any attacker, for use as they please.
it is entirely possible to use the keytab and connect to a properly configured mariadb instance with a keytab. can the functionality to authenticate to databases like mariadb with the keytab be added?
What API should we use? The MySQL documentation shows APIs which take username and password: https://dev.mysql.com/doc/c-api/8.0/en/mysql-real-connect.html Which API takes a keytab? I've taken a quick look around the MySQL client documentation, and there's nothing obvious. Alan DeKok.
participants (2)
-
Alan DeKok -
Brendan Kearney