attribute value length limit
Fco. Javier Melero
javier at di.uc3m.es
Fri Sep 28 15:48:05 CEST 2007
Alan DeKok escribió:
> Fco. Javier Melero wrote:
>
>> Well, surely I'm missing something, but that's the way I've found to
>> store clear text passwords in LDAP keeping some peace of mind. What
>> could be the alternative?
>>
>
> Storing them as clear-text.
>
> Encrypting them adds *zero* benefit, because application that needs
> the passwords has to be given the decryption key. Since the decryption
> key is scattered all over the place in your network, it's not adding
> much security.
>
> To put it another way, almost no one does what you're doing.
>
>
Maybe some context will help. What we are trying to do is implement a
802.1x wireless lan which can allow multiple EAP methods under the same
SSID. If you want TTLS/PAP and PEAP/MSCHAP working together the only way
is to use clear text passwords (or I think so). In our scenario, which
is only a test so far, there will be no applications using this
attribute. Radius server will be the only one which will have the
private key, and hopefully keeping it as save as we could the whole
system will have a reasonable security.
Are we driving ourselves insane? Tell me the truth ;-)
Have a nice weekend.
--
=========================================================
Fco. Javier Melero de la Torre
Universidad Carlos III de Madrid
Servicio de Informática y Comunicaciones
Area de Seguridad y Comunicaciones
(https://asyc.uc3m.es)
e-mail: javier at di.uc3m.es
phone: (+34) 916.249.980, (+34) 918.561.341
fax: (+34) 916.249.430
=========================================================
More information about the Freeradius-Users
mailing list