Re: Secure Storage and Transport of User Credentials
Hello, is there a way to securely transport and store the Username/Password with freeradius? If I am informed correctly, you can use PEAP to ensure that the data is encrypted but the most supported PEAP mode is with MSCHAPv2 which implies that the passwords are stored in clear text or NT-Hash. Did I get something wrong here? I am fairly new to RADIUS and therefore I don't know that much about it... Thanks in advance! Best regards, Marco Macala
On 11/07/12 12:45, Marco Macala wrote:
Hello,
is there a way to securely transport and store the Username/Password with freeradius?
What does that mean?
If I am informed correctly, you can use PEAP to ensure that the data is encrypted but the most supported PEAP mode is with MSCHAPv2 which implies that the passwords are stored in clear text or NT-Hash.
Yes.
Hi,
is there a way to securely transport and store the Username/Password with freeradius? If I am informed correctly, you can use PEAP to ensure that the data is encrypted but the most supported PEAP mode is with MSCHAPv2 which implies that the passwords are stored in clear text or NT-Hash.
....PEAP will securely transport things - as with MSCHAPv2 the password is never sent. whether the passwords are stored in plain/nt-has format is down to how you are doing things.. if they are stored in AD then they are not stored in a plain format. alan
The problem is, that I do not trust the network and I don't want to store the password in plain. Also, isn't the NT Hash insecure beacuse it is easily cracked? Or am i mixing things up? 2012/7/11 alan buxey <A.L.M.Buxey@lboro.ac.uk>
Hi,
is there a way to securely transport and store the Username/Password with freeradius? If I am informed correctly, you can use PEAP to ensure that the data is encrypted but the most supported PEAP mode is with MSCHAPv2 which implies that the passwords are stored in clear text or NT-Hash.
....PEAP will securely transport things - as with MSCHAPv2 the password is never sent.
whether the passwords are stored in plain/nt-has format is down to how you are doing things.. if they are stored in AD then they are not stored in a plain format.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
The problem is, that I do not trust the network and I don't want to store the password in plain. Also, isn't the NT Hash insecure beacuse it is easily cracked? Or am i mixing things up?
if you dont trust the network then you will also need to looking at using TLS to transport things around - eg RADSEC or a VPN tunnel. as for NT hash - yes, there are security issues but only if you have access to them or expose them - if you bind the FreeRADIUS system to an AD and use eg ntlm_auth then the NThash isnt accessed. alan
if you dont trust the network then you will also need to looking at using TLS to transport things around - eg RADSEC or a VPN tunnel.
isn't the point of PEAP that i don't need them because it is wrapped in an encrypted communication?
as for NT hash - yes, there are security issues but only if you have access to them or expose them - if you bind the FreeRADIUS system to an AD and use eg ntlm_auth then the NThash isnt accessed.
The thing is, i can't use AD to store the passwords. Specifically, i would like to store the password as a salted hash. I want something like this: - encrypted channel between authenticator and radius server - passwords stored as a salted hash 2012/7/11 alan buxey <A.L.M.Buxey@lboro.ac.uk>
Hi,
The problem is, that I do not trust the network and I don't want to store the password in plain. Also, isn't the NT Hash insecure beacuse it is easily cracked? Or am i mixing things up?
if you dont trust the network then you will also need to looking at using TLS to transport things around - eg RADSEC or a VPN tunnel.
as for NT hash - yes, there are security issues but only if you have access to them or expose them - if you bind the FreeRADIUS system to an AD and use eg ntlm_auth then the NThash isnt accessed.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 11/07/12 14:04, Marco Macala wrote:
if you dont trust the network then you will also need to looking at using TLS to transport things around - eg RADSEC or a VPN tunnel.
isn't the point of PEAP that i don't need them because it is wrapped in an encrypted communication?
Yes.
as for NT hash - yes, there are security issues but only if you have access to them or expose them - if you bind the FreeRADIUS system to an AD and use eg ntlm_auth then the NThash isnt accessed.
The thing is, i can't use AD to store the passwords. Specifically, i would like to store the password as a salted hash.
You can't do this, and use PEAP. PEAP requires MSCHAPv2, which requires plaintext or NT hash exist SOMEWHERE. See: http://deployingradius.com/documents/protocols/compatibility.html
I want something like this: - encrypted channel between authenticator and radius server
PEAP or TTLS will provide this.
- passwords stored as a salted hash
Only TTLS-PAP will provide this. See the link above. TTLS is not available until Windows 8, so you will need to deploy software on windows clients.
Thanks for the information, your really helped me A LOT! I already looked into http://deployingradius.com/**documents/protocols/** compatibility.html<http://deployingradius.com/documents/protocols/compatibility.html> but I hoped there could be some way around this. 2012/7/11 Phil Mayers <p.mayers@imperial.ac.uk>
On 11/07/12 14:04, Marco Macala wrote:
if you dont trust the network then you will also need to looking at using TLS to transport things around - eg RADSEC or a VPN tunnel.
isn't the point of PEAP that i don't need them because it is wrapped in an encrypted communication?
Yes.
as for NT hash - yes, there are security issues but only if you have access to them or expose them - if you bind the FreeRADIUS system to an AD and use eg ntlm_auth then the NThash isnt accessed.
The thing is, i can't use AD to store the passwords. Specifically, i would like to store the password as a salted hash.
You can't do this, and use PEAP. PEAP requires MSCHAPv2, which requires plaintext or NT hash exist SOMEWHERE. See:
I want something like this: - encrypted channel between authenticator and radius server
PEAP or TTLS will provide this.
- passwords stored as a salted hash
Only TTLS-PAP will provide this. See the link above. TTLS is not available until Windows 8, so you will need to deploy software on windows clients.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Marco Macala wrote:
Thanks for the information, your really helped me A LOT!
I already looked into http://deployingradius.com/documents/protocols/compatibility.html but I hoped there could be some way around this.
What part of "impossible" is hard to understand? You read the documentation. Instead of believing it, you wasted everyones time by asking questions where you already knew the answer. That's rude. Alan DeKok.
participants (4)
-
alan buxey -
Alan DeKok -
Marco Macala -
Phil Mayers