Secure auth methods pam_radius

Bob Probert bruisebrotherprobert at gmail.com
Tue Dec 3 20:57:46 CET 2013


Alan and Arran,

Thanks for your response.

The security of Radius has been questioned on a number of occasions, it not
out of line to question it on the Radius Users mailing list.



On Tue, Dec 3, 2013 at 10:11 AM, Alan DeKok <aland at deployingradius.com>wrote:

> Bob Probert wrote:
> > In my understanding RADIUS provides security in the form of an MD5 hash
> > -- not ideal.
>
>   I said RADIUS secures the password.  I meant that.
>
>   It helps to understand the system before trying to fix it.
>
> > Has RADSEC been implemented for this PAM module? If not, how is the
> > community sanitizing this traffic? IPSEC? STUNNEL?
>
>   You're asking the wrong questions.  Your questions are based on a
> false assumption: that the password is insecure in normal RADIUS.
>
>   There is no evidence to believe that this is true.
>
>   If you want the traffic to be *more* secure, set the RADIUS server to
> be 127.0.0.1, and run a RADIUS proxy on the local machine.  It can then
> do RadSec to anywhere you want.
>
>   Or, you can configure IPSec, so that the RADIUS PAM module
> communicates with the RADIUS server over a network secured by IPSec.
>
>   Both solutions require *zero* changes to the PAM module.  All they
> require is a little knowledge of networking.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131203/224b70c2/attachment.html>


More information about the Freeradius-Users mailing list