Is there a best practice around credential storage?

Alan DeKok aland at deployingradius.com
Fri Dec 20 14:41:43 CET 2019


On Dec 20, 2019, at 8:39 AM, Sven Hartge <sven at svenhartge.de> wrote:
> 
> On 20.12.19 13:53, Alan DeKok wrote:
> 
>>  Using multiple passwords doesn't really help.  If the DB is compromised, then *all* passwords are compromised.
> 
> Unless you store the password for freeradius in a different
> database/LDAP server/$whatever from the main password.
> 
> This is what I do. The LDAP servers for the network password are
> separate from the main authentication servers and the RADIUS servers can
> only interact with their special LDAP servers.
> 
> Should the RADIUS servers somehow get compromised, the attacked can only
> read the lower-value network password from there and not everything else.

  That works.

  I'm just too lazy to do that. :)

  Alan DeKok.




More information about the Freeradius-Users mailing list