Hiding "secret" used in for PAM authentication

Phil Mayers p.mayers at imperial.ac.uk
Sat Nov 19 11:38:44 CET 2011


On 11/19/2011 12:26 AM, Gregory Machin wrote:
> Hi.
> We are using using PAM to authenticate users against Freeradius, an
> that is working well. The problem is that the users are 3rd party
> developers and some need root access. The issue we have is that the
> radius secret is stored in clear text file. How can this be hidden so
> that is can be misused  ?

There's no way within FreeRADIUS. The secret must be in plaintext, in 
order to be used.

If you don't trust the users, you shouldn't give them root access.

I suppose it might be possible to use a MAC system like SELinux to 
confine the untrusted parties into a domain which can't read the 
FreeRADIUS config files, but can do everything else - but it would be 
tricky.

Basically - you can't hide things from root.



More information about the Freeradius-Users mailing list