Authentication protocols that DO support hashed passwords

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Nov 10 20:23:41 CET 2014


> On 10 Nov 2014, at 14:01, E.S. Rosenberg <esr+freeradius-users at mail.hebrew.edu> wrote:
> 
> Hi all,
> I was doing some research into the authentication protocol used by a
> VPN solution we are trying and cam across this fairly old thread on
> your list:
> http://freeradius.1045715.n5.nabble.com/Chap-auhtentication-against-LDAP-td2781170.html
> 
> Which in turn links to a nice page by Alan DeKok here:
> http://deployingradius.com/documents/protocols/compatibility.html
> 
> Which left me asking myself 2 questions:
> 1. Did anything change in the past 5 years, is there any decently
> supported protocol that does support hashed passwords (other then
> PAP)?

Windows 8 now supports EAP-TTLS-PAP.

> 2. How can it be that all these protocols were designed with the idea
> that the auth server should have a cleartext copy of the users'
> password, haven't we all known for years now that that's a bad idea?

Passwords in general are shit security.

If you want something secure use EAP-TLS it's supported by every major
supplicant. The private key need only be known to one party (the supplicant).

If you still want passwords for 2FA, allow the users to set encryption
keys for the private cert.

Then, if your DB is compromised there's nothing to leak, except user identities.

Most of the difficulties around managing PKI are imagined.

For OSX and Windows you can easily generate network profiles that bundle 
personal certs with the settings required to connect to Wired/Wireless 
Networks and VPNs.

If you're concerned about passwords being compromised stop using passwords.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2



More information about the Freeradius-Users mailing list