Keeping plain-text shared secret and user passwords in sql
I'm attempting to use freeradius to authenticate wireless network in my organisation, using self-signed certificates. I have installed freeradius 2.1.10 from debian 6 repository, set up basic configuration according to instructions on freeradius.org site, finally I've configured freeradius to use mysql. It seems to work properly, but i wonder if it is safe to keep user password and client secret in plaintext? I searched the lists and googled a bit, but I can't find any information regarding this case. So: 1 - is there a way (or sense) to hash shared secret in my database? 2 - Can I hash user passwords if I'm using eap-tls? 2a - if I'm using certificates for authentication, do I actually need to keep user passwords? Cause it seems that they aren't used during authentication (or I didn't find that part during debuging) Regards Peter
Hi,
I'm attempting to use freeradius to authenticate wireless network in my organisation, using self-signed certificates.� I have installed freeradius 2.1.10 from debian 6 repository, set up basic configuration according to instructions on [1]freeradius.org site, finally I've configured freeradius to use mysql. It seems to work properly, but i wonder if it is safe to keep user password and client secret in plaintext? I searched the lists and googled a bit, but I can't find any information regarding this case.� So: 1 - is there a way (or sense) to hash shared secret in my database? 2 - Can I hash user passwords if I'm using eap-tls? 2a - if I'm using certificates for authentication, do I actually need to keep user passwords? Cause it seems that they aren't used during authentication (or I didn't find that part during debuging)
depends on many things. how paranoid are you? what sort of security level does this server have? is the MySQL on a seperate server from the FR daemon? is the SQL connection encrypted? and more. you can hash (salted please!) the passwords so that they are not readable.... but if someone has that sort of access to the DB then might they not already be inserting their own user/pass for access? security by obscurity isnt the best way....being worried about such a thing and being more secure and paranoid about security over the server/system might be a better way :-) alan
asdf zxcv <jazdatestowa@gmail.com> wrote:
I'm attempting to use freeradius to authenticate wireless network in my organisation, using self-signed certificates. I have installed freeradius 2.1.10 from debian 6 repository, set up basic configuration according to instructions on freeradius.org site, finally I've configured freeradius to use mysql.
It seems to work properly, but i wonder if it is safe to keep user password and client secret in plaintext? I searched the lists and googled a bit, but I can't find any information regarding this case.
So: 1 - is there a way (or sense) to hash shared secret in my database?
Not if you have to support challange handshake authentication. If you only use MSCHAPv2 or PAP, then you can store the password as an NT-Hash. This is somewhat safer than clear text, but should still be secured, because both the NT-Hash and the LM-Hash are quite easily broken (l0pthcrack etc.)
2 - Can I hash user passwords if I'm using eap-tls? 2a - if I'm using certificates for authentication, do I actually need to keep user passwords? Cause it seems that they aren't used during authentication (or I didn't find that part during debuging)
If 2a, then no, as the certificate is the only needed credential of a user/system, no username/password involved. Grüße, Sven. -- Sigmentation fault. Core dumped.
Thanks Alan, Sven. SQL server is on the same virtual machine with freeradius. I'm also creating a web application to manage users, certificates, server settings etc - it will be hosted on the same machine. I just thought that keeping ANY passwords ANYWHERE in plaintext form is not a good idea. But then again, if someone gains access to my server then in fact he could do anything and password would not matter.
2 - Can I hash user passwords if I'm using eap-tls?
2a - if I'm using certificates for authentication, do I actually need to keep user passwords? Cause it seems that they aren't used during authentication (or I didn't find that part during debuging)
If 2a, then no, as the certificate is the only needed credential of a user/system, no username/password involved.
Thats good and bad. - Good, cause it simplifies initial implementation a bit. - Bad, because I was counting i could do something like double authentication - user/password after cert verification. But in that case, is there any way to 'disable' users key in case i don't want him to access my network? What if I need to generate new user certificate as a replacement to the old one that has been lost/stolen etc? I can give 'Expiration' attribute to the account, but that doesn't solve the case, as I want to give the same user a new key. Any ideas?
participants (3)
-
Alan Buxey -
asdf zxcv -
Sven Hartge