Is there a best practice around credential storage?

Sven Hartge sven at svenhartge.de
Fri Dec 20 14:39:25 CET 2019


On 20.12.19 13:53, Alan DeKok wrote:

>   Using multiple passwords doesn't really help.  If the DB is compromised, then *all* passwords are compromised.

Unless you store the password for freeradius in a different
database/LDAP server/$whatever from the main password.

This is what I do. The LDAP servers for the network password are
separate from the main authentication servers and the RADIUS servers can
only interact with their special LDAP servers.

Should the RADIUS servers somehow get compromised, the attacked can only
read the lower-value network password from there and not everything else.

Grüße,
Sven.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20191220/4e3bc816/attachment.sig>


More information about the Freeradius-Users mailing list