Theft of password.
Alan DeKok
aland at ox.org
Fri Jun 24 01:32:02 CEST 2005
"Tahseen Hussain" <stud3080 at itu.dk> wrote:
> We are dealing with secuirty problems of Radius in proxy chaining setup
> whre end-to-end security is missing.
There was a proposal years ago to use kerberos to solve thus (and
other) problems, but it went nowhere.
> Our idea is based on the assumtion each remote or home Radius server will
> have its own key pair (public and private key). whenever a user is in some
> other domain, then the user will sends it's passwrod encrypted with the
> public key of its home radius sever
How are you going to fix the umpteen million clients out there to
have this public key, and implement this algorithm?
On way to get the same effect (without the problems) is to use
EAP-TTLS with PAP inside of the tunnel. All of the intermediate
proxies can proxy the TLS session, but they don't know what's inside
it. The home server terminates the tunnel, so it gets access to the key.
All that's required here is that the supplicant have the home
servers certificate, AND that the "validate server certificate"
checkbox is selected.
> We are planning to implement this feature. I would like to hear feedback
> and comments on this scheme. Is there any other way to overcome theft of
> password threat?
If you do this, I'm curious to know which clients you will update to
have this feature, and how you will implement it.
Personally, I'd just use a standard authentication method.
Alan DeKok.
More information about the Freeradius-Users
mailing list