/etc/shadow

Alan DeKok aland at deployingradius.com
Thu Nov 20 18:08:49 CET 2008


Norman Zhang wrote:
> My current radius installation permits radius daemon read-only access to
> /etc/shadow. But this introduces security risks.

  Such as?

> -rw-r--r--  1 root root 6514 Nov 18 16:52 /etc/shadow
> 
> I have been told to consider MySQL back-end. Is there a way to pull the
> existing local users/passwords in MySQL? Or I have recreate every user
> plus password in MySQL?

  You can manually write a program that runs as root to pull
user/password information from /etc/shadow, and copy it to an SQL database.

  But you will be providing the RADIUS server with... access to the
username && password.  Which is what happens when you let it read
/etc/shadow.

  i.e. If you're worried about letting your RADIUS server read
/etc/shadow, you shouldn't be giving it *any* information about users or
passwords.

  Alan DeKok.



More information about the Freeradius-Users mailing list