Freeradius sql module usage
Hi everyone, How may I encrypt the password used in Connection info in SQL module? Kindly advise. Thanks.
On 23 Jul 2024 at 8:12:31 PM, Alan Smith via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
Hi everyone, How may I encrypt the password used in Connection info in SQL module? Kindly advise. Thanks.
Do you mean in the configuration file? What are you trying to achieve exactly? -- Nathan Ward
On Jul 23, 2024, at 1:12 AM, Alan Smith via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
How may I encrypt the password used in Connection info in SQL module? Kindly advise. Thanks.
What problem would that solve? Think about it for a bit. The server has to be able to decrypt that password somehow. So where is the decryption key stored? How can the server get access to it? These kinds of approaches add complexity, and offer zero additional security. Alan DeKok.
A project I am working on does not allow storage of plain text passwords in the config file. That is why. On Tuesday, 23 July 2024 at 09:39:41 pm SGT, Alan DeKok <aland@deployingradius.com> wrote: On Jul 23, 2024, at 1:12 AM, Alan Smith via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
How may I encrypt the password used in Connection info in SQL module? Kindly advise. Thanks.
What problem would that solve? Think about it for a bit. The server has to be able to decrypt that password somehow. So where is the decryption key stored? How can the server get access to it? These kinds of approaches add complexity, and offer zero additional security. Alan DeKok.
On Jul 23, 2024, at 8:21 AM, Alan Smith via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
A project I am working on does not allow storage of plain text passwords in the config file. That is why.
That's not what I was getting at. Project requirements may be, or may not be realistic. In this case, the requirement "not store plain text passwords in the config" is not a realistic requirement. Again, think about this for a second. Where is the actual password stored? How does FreeRADIUS get access to the password? How is the password secured / authenticated? Any amount of thinking shows that this requirement is nonsense, and is security theatre. It offers *zero* additional security. It makes the system more fragile. Perhaps you could explain in concrete terms, how is the system made more secure by not storing passwords in the config? How is any other method of getting the password more secure? Use examples. "I have a checklist" is not a convincing argument. Alan DeKok.
On Tue, 23 Jul 2024, Alan DeKok wrote:
On Jul 23, 2024, at 8:21 AM, Alan Smith via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
A project I am working on does not allow storage of plain text passwords in the config file. That is why.
[snip..]
Perhaps you could explain in concrete terms, how is the system made more secure by not storing passwords in the config? How is any other method of getting the password more secure?
Use examples.
"I have a checklist" is not a convincing argument.
It prevents idiots from pushing their code to a GitHub project, thus publishing their credentials to the world. Anybody who has to deal with the new US DOD/DOE NIST-800-171 CUI requirements understands the pain of dealing with seemingly senseless restrictions. -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{
On Jul 23, 2024, at 10:38 AM, Dave Funk <dbfunk@engineering.uiowa.edu> wrote:
On Tue, 23 Jul 2024, Alan DeKok wrote:
"I have a checklist" is not a convincing argument.
It prevents idiots from pushing their code to a GitHub project, thus publishing their credentials to the world.
I see checklists as useful for some things, but they have to be actionable. "Don't put passwords on disk" is for me not very actionable. Any ad-hoc checklist to stop bad behaviours should also have a documented better method. Otherwise people just invent other, worse, work-arounds.
Anybody who has to deal with the new US DOD/DOE NIST-800-171 CUI requirements understands the pain of dealing with seemingly senseless restrictions.
I've seen very large / national "security" organizations publish insecure recommendations. So yeah, I can see there being some confusing, crazy and outright wrong recommendations from them. Alan DeKok.
W dniu 23.07.2024 o 17:21, Alan Smith via Freeradius-Users pisze:
A project I am working on does not allow storage of plain text passwords in the config file. That is why.
It looks like an interesting requirement. Maybe you can go further an configure access to the database without any password to fully comply with these rules?
On Tuesday, 23 July 2024 at 09:39:41 pm SGT, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 23, 2024, at 1:12 AM, Alan Smith via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
How may I encrypt the password used in Connection info in SQL module? Kindly advise. Thanks. What problem would that solve?
Think about it for a bit. The server has to be able to decrypt that password somehow. So where is the decryption key stored? How can the server get access to it?
These kinds of approaches add complexity, and offer zero additional security.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Marek Zarychta
On Tue, 23 Jul 2024, Alan Smith via Freeradius-Users wrote:
A project I am working on does not allow storage of plain text passwords in the config file. That is why. On Tuesday, 23 July 2024 at 09:39:41 pm SGT, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 23, 2024, at 1:12 AM, Alan Smith via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
How may I encrypt the password used in Connection info in SQL module? Kindly advise. Thanks.
What problem would that solve?
Think about it for a bit. The server has to be able to decrypt that password somehow. So where is the decryption key stored? How can the server get access to it?
It depends on the details of your system. 1) if radius daemon and MySQL daemon reside on the same host you can use Unix access control and base it on UID. 2) if your system has some kind of hardware key escrow device, store the credentials in that 3) Store the password in an encrypted form and have the radius daemon prompt the user for the decrypt key at startup (or retrieve it from some kind of key escrow service, think "ssh-agent" like structure). 4) if your MySQL server supports some other kind of authentication mechanism (EG GSSAPI) use that instead of passwords. 5) ask other people in your organization how they're handling this particular mandate. Good luck, aint bureaucracy fun... -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{
Are you able to use environment variables like this?: server = $ENV{DB_HOST} port = $ENV{DB_PORT} login = $ENV{DB_USER} password = $ENV{DB_PASSWORD} radius_db = $ENV{DB_DATABASE} This is how we configure it in our cluster. If you run it directly on the machine, it does not provide any added security, but your requirement would be met. I know it just moves the need to encrypt the data to the OS, but there are probably more ways how to do it. Ludo On 7/23/24 17:21, Alan Smith via Freeradius-Users wrote:
A project I am working on does not allow storage of plain text passwords in the config file. That is why. On Tuesday, 23 July 2024 at 09:39:41 pm SGT, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 23, 2024, at 1:12 AM, Alan Smith via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
How may I encrypt the password used in Connection info in SQL module? Kindly advise. Thanks.
What problem would that solve?
Think about it for a bit. The server has to be able to decrypt that password somehow. So where is the decryption key stored? How can the server get access to it?
These kinds of approaches add complexity, and offer zero additional security.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (6)
-
Alan DeKok -
Alan Smith -
Dave Funk -
Marek Zarychta -
Nathan Ward -
Ľudovít Mikula