Keeping plain-text shared secret and user passwords in sql

Sven Hartge sven at svenhartge.de
Tue Nov 15 22:53:18 CET 2011


asdf zxcv <jazdatestowa at gmail.com> wrote:

> I'm attempting to use freeradius to authenticate wireless network in
> my organisation, using self-signed certificates.  I have installed
> freeradius 2.1.10 from debian 6 repository, set up basic configuration
> according to instructions on freeradius.org site, finally I've
> configured freeradius to use mysql.

> It seems to work properly, but i wonder if it is safe to keep user
> password and client secret in plaintext? I searched the lists and
> googled a bit, but I can't find any information regarding this case.

> So:
> 1 - is there a way (or sense) to hash shared secret in my database?

Not if you have to support challange handshake authentication. If you
only use MSCHAPv2 or PAP, then you can store the password as an NT-Hash.
This is somewhat safer than clear text, but should still be secured,
because both the NT-Hash and the LM-Hash are quite easily broken
(l0pthcrack etc.)

> 2 - Can I hash user passwords if I'm using eap-tls?
> 2a - if I'm using certificates for authentication, do I actually need to
> keep user passwords? Cause it seems that they aren't used during
> authentication (or I didn't find that part during debuging)

If 2a, then no, as the certificate is the only needed credential of a
user/system, no username/password involved.

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.




More information about the Freeradius-Users mailing list