pptpd+freeradius+ldap: which password encryption can I use?
John Dennis
jdennis at redhat.com
Tue Apr 30 14:54:18 CEST 2013
On 04/30/2013 06:11 AM, Alberto Aldrigo wrote:
> Hi Everybody,
>
> I'm trying to setup a PPTPD server which would authenticate users using
> my openLDAP user database, in doing so I need freeradius.
> By now the only setup that actually works is: users in LDAP with clear
> text password.
> Obviously I want to use some kind of encryption for passwords and I
> don't like the solution of using cleartext passwords and the use of a
> specific user allowed to access to the password attribute, so my
> question is: which other possibilities I have?
> Looking to this table
> http://deployingradius.com/documents/protocols/compatibility.html I
> understand that I can use pap + sha1 but I can't understand how. Can
> anyone help me understand what is possible and what not?
> Many thanks
cleartext passwords should work for most everything as shown in the
compatibility table, if it's not you've broken something.
You other option is to hash your passwords, refer to the table for what
will work, you'll probably need to prefix your password values with a
scheme prefix.
However hashing is *not* encryption nor is hashing secure. Do not depend
on hashing to provide protection! Most hashes can be broken easily, This
is especially true if they can be retrieved for offline cracking which
is the gift you're giving your attacker if you don't lock down your
password attributes.
Bottom line, there is no short-cut or excuse not to lock down password
attributes with ACL's such that only a select subset of users can see
them (e.g. radiusd, root).
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list