Security of sql md5 vs unix auth

Ben Wiechman ben at wisper-wireless.com
Mon Nov 5 19:18:30 CET 2007


-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of Alan
DeKok
Sent: Friday, November 02, 2007 6:42 PM
To: FreeRadius users mailing list
Subject: Re: Security of sql md5 vs unix auth

Ben Wiechman wrote:
> Background: we use freeradius to provide AAA for our wireless hotspots.
> We would also like to use radius authentication for our layer 3
> switches. This brings up the question of security.

  It brings up a question of limited choices.

> Which is going to be more secure, md5 hashed passwords in MySQL, or
> storing the passwords for the switch accounts in the /etc/shadow file

  It's effectively the same from a security point of view.

> (I
> had to set the file to world readable to allow the radiusd process to
> read the file.).

   PLEASE don't do that!  The comments in radiusd.conf describe how to
*properly* let the server read /etc/shadow.

> Or is there another, better alternative that I just
> don't know about?

  If you're doing PEAP for WiFi, you *can't* use MD5 or /etc/shadow
passwords.

  Alan DeKok.
-

Ahh... I see the comments now about changing the group to shadow. With that
in mind it may be better to just encrypt the password. Thanks for the
pointers.


Ben





More information about the Freeradius-Users mailing list