attribute value length limit

Alan DeKok aland at deployingradius.com
Mon Oct 1 13:53:33 CEST 2007


Fco. Javier Melero wrote:
> Ok, I've had a look at your Deploying Radius site and that compatibility
> table. I haven´t seen it before. I guess ntlm_auth can do it too. And we
> could add a pre-calculated digest hash for those VoIP dudes. We will try
> all that.

  You need ntlm_auth ONLY for Active Directory.  For every other LDAP
server, you can just store the NT hash directly.  But even that is
pretty meaningless.  You can get crackers that will turn 99% of the NT
hash into clear-text passwords in 5 minutes.

  Fake security just wastes your time.

> But if somebody manages to break into your LDAP server that won't help
> you.Of course, somebody can break into your RADIUS server too, but, at
> least in our case, the RADIUS server is easier to protect (no operators
> updating the database and not unknown clients connecting to it). 

  If it is visible on the network, then people can attack it.  They may
not succeed, but they can try.

  And the security of the RADIUS protocol is pretty bad.

> IMHO
> It's better to avoid plain-text passwords, but, if you really need them,
> the whole system security will be stronger (or less weak) with that
> asymmetric ciphering than without it.

  I'm not sure I agree.  Adding little pieces of security to address
perceived flaws is almost always a waste of time.

  It's better to do a *system* security analysis, and a suite of
security fixes for your entire system.

  Alan DeKok.



More information about the Freeradius-Users mailing list