Security of sql md5 vs unix auth

Ben Wiechman ben at wisper-wireless.com
Tue Nov 6 19:22:15 CET 2007 

I had to do a little digging, but I got md5 auth set up and working. Thanks
for the help. I was more comfortable doing that than changing permissions on
the /etc/shadow and dealing with modifying SELinux attributes.

Thanks for the help.

Ben Wiechman

-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
tnt at kalik.co.yu
Sent: Monday, November 05, 2007 1:15 PM
To: FreeRadius users mailing list
Subject: RE: Security of sql md5 vs unix auth

crypt, sha etc. also won't work with PEAP. Only NT-hash.

Ivan Kalik
Kalik Informatika ISP

Dana 5/11/2007, "Ben Wiechman" <ben at wisper-wireless.com> piše:

>-----Original Message-----
>From: freeradius-users-bounces at lists.freeradius.org
>[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of Alan
>DeKok
>Sent: Friday, November 02, 2007 6:42 PM
>To: FreeRadius users mailing list
>Subject: Re: Security of sql md5 vs unix auth
>
>Ben Wiechman wrote:
>> Background: we use freeradius to provide AAA for our wireless hotspots.
>> We would also like to use radius authentication for our layer 3
>> switches. This brings up the question of security.
>
>  It brings up a question of limited choices.
>
>> Which is going to be more secure, md5 hashed passwords in MySQL, or
>> storing the passwords for the switch accounts in the /etc/shadow file
>
>  It's effectively the same from a security point of view.
>
>> (I
>> had to set the file to world readable to allow the radiusd process to
>> read the file.).
>
>   PLEASE don't do that!  The comments in radiusd.conf describe how to
>*properly* let the server read /etc/shadow.
>
>> Or is there another, better alternative that I just
>> don't know about?
>
>  If you're doing PEAP for WiFi, you *can't* use MD5 or /etc/shadow
>passwords.
>
>  Alan DeKok.
>-
>
>Ahh... I see the comments now about changing the group to shadow. With that
>in mind it may be better to just encrypt the password. Thanks for the
>pointers.
>
>
>Ben
>
>
>-
>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list