Is it possible to use CHAP authentication with pam_radius?
Dan Swartzendruber
dswartz at druber.com
Thu Sep 26 20:11:07 CEST 2019
On 2019-09-26 13:11, Alan DeKok wrote:
> On Sep 26, 2019, at 1:06 PM, Dan Swartzendruber <dswartz at druber.com>
> wrote:
>>
>> I'm trying to implement external authentication for an appliance
>> running CentOS 7. My research turned up the easiest solution as
>> simply installing pam_radius from the repository. I did, and it works
>> just fine (tested against a Freeradius 3.0 server with a single test
>> user.) Running freeradiux with '-X' indicates that is using PAP:
>> ...
>> For security reasons, I'd really like to use CHAP instead, but it
>> doesn't seem to support that? The man pages and such don't mention
>> CHAP. I went as far as downloading 1.4.0 and extracting the tarball
>> and looking at the code. User-Password is Radius attribute 2, and
>> looking at the source:
>
> The pam_radius_auth module doesn't do CHAP.
>
> TBH, any "security" argument is not really relevant. The whole idea
> of "PAP is insecure" is a marketing checklist, not a security
> analysis.
No argument here. Unfortunately, some of our customers are
anal-retentive and have security compliance audits run, and having
cleartext passwords is going to be problematic. I'm wondering if I
could tunnel RADIUS over TCP using an ssh tunnel? This is a very small
number of customers who will care, but they have a disproportionate
influence...
More information about the Freeradius-Users
mailing list