Is it possible to use CHAP authentication with pam_radius?

Dan Swartzendruber dswartz at druber.com
Thu Sep 26 20:11:07 CEST 2019


On 2019-09-26 13:11, Alan DeKok wrote:
> On Sep 26, 2019, at 1:06 PM, Dan Swartzendruber <dswartz at druber.com> 
> wrote:
>> 
>> I'm trying to implement external authentication for an appliance 
>> running CentOS 7.  My research turned up the easiest solution as 
>> simply installing pam_radius from the repository.  I did, and it works 
>> just fine (tested against a Freeradius 3.0 server with a single test 
>> user.)  Running freeradiux with '-X' indicates that is using PAP:
>> ...
>> For security reasons, I'd really like to use CHAP instead, but it 
>> doesn't seem to support that?  The man pages and such don't mention 
>> CHAP.  I went as far as downloading 1.4.0 and extracting the tarball 
>> and looking at the code.  User-Password is Radius attribute 2, and 
>> looking at the source:
> 
>   The pam_radius_auth module doesn't do CHAP.
> 
>   TBH, any "security" argument is not really relevant.  The whole idea
> of "PAP is insecure" is a marketing checklist, not a security
> analysis.

No argument here.  Unfortunately, some of our customers are 
anal-retentive and have security compliance audits run, and having 
cleartext passwords is going to be problematic.  I'm wondering if I 
could tunnel RADIUS over TCP using an ssh tunnel?  This is a very small 
number of customers who will care, but they have a disproportionate 
influence...


More information about the Freeradius-Users mailing list