Security of sql md5 vs unix auth
tnt at kalik.co.yu
tnt at kalik.co.yu
Mon Nov 5 20:15:11 CET 2007
crypt, sha etc. also won't work with PEAP. Only NT-hash.
Ivan Kalik
Kalik Informatika ISP
Dana 5/11/2007, "Ben Wiechman" <ben at wisper-wireless.com> piše:
>-----Original Message-----
>From: freeradius-users-bounces at lists.freeradius.org
>[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of Alan
>DeKok
>Sent: Friday, November 02, 2007 6:42 PM
>To: FreeRadius users mailing list
>Subject: Re: Security of sql md5 vs unix auth
>
>Ben Wiechman wrote:
>> Background: we use freeradius to provide AAA for our wireless hotspots.
>> We would also like to use radius authentication for our layer 3
>> switches. This brings up the question of security.
>
> It brings up a question of limited choices.
>
>> Which is going to be more secure, md5 hashed passwords in MySQL, or
>> storing the passwords for the switch accounts in the /etc/shadow file
>
> It's effectively the same from a security point of view.
>
>> (I
>> had to set the file to world readable to allow the radiusd process to
>> read the file.).
>
> PLEASE don't do that! The comments in radiusd.conf describe how to
>*properly* let the server read /etc/shadow.
>
>> Or is there another, better alternative that I just
>> don't know about?
>
> If you're doing PEAP for WiFi, you *can't* use MD5 or /etc/shadow
>passwords.
>
> Alan DeKok.
>-
>
>Ahh... I see the comments now about changing the group to shadow. With that
>in mind it may be better to just encrypt the password. Thanks for the
>pointers.
>
>
>Ben
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list