Keeping plain-text shared secret and user passwords in sql

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Tue Nov 15 22:51:59 CET 2011


Hi,
>    I'm attempting to use freeradius to authenticate wireless network in my
>    organisation, using self-signed certificates.�
>    I have installed freeradius 2.1.10 from debian 6 repository, set up basic
>    configuration according to instructions on [1]freeradius.org site, finally
>    I've configured freeradius to use mysql.
>    It seems to work properly, but i wonder if it is safe to keep user
>    password and client secret in plaintext? I searched the lists and googled
>    a bit, but I can't find any information regarding this case.�
>    So:
>    1 - is there a way (or sense) to hash shared secret in my database?
>    2 - Can I hash user passwords if I'm using eap-tls?
>    2a - if I'm using certificates for authentication, do I actually need to
>    keep user passwords? Cause it seems that they aren't used during
>    authentication (or I didn't find that part during debuging)

depends on many things. how paranoid are you? what sort of security level does
this server have? is the MySQL on a seperate server from the FR daemon? is
the SQL connection encrypted? and more.   you can hash (salted please!) the passwords
so that they are not readable.... but if someone has that sort of access to the
DB then might they not already be inserting their own user/pass for access?
security by obscurity isnt the best way....being worried about such a thing
and being more secure and paranoid about security over the server/system might
be a better way :-)

alan



More information about the Freeradius-Users mailing list