SQL module and credentials configured in the clear

Alan DeKok aland at deployingradius.com
Fri Apr 29 00:46:22 UTC 2022


On Apr 28, 2022, at 7:57 PM, Brendan Kearney <bpk678 at gmail.com> wrote:
> for a myraid of purposes, i have my radius servers connect to MariaDB, and have configured mods-available/sql with the requisite user/pass credential set.  i am wondering if the case can be made to add/include the option to use the keytab created and used for LDAP connectivity.  having a user/pass combo in clear text on the filesystem is no-no in many organizations.

  I disagree, but people can do whatever they want on their own systems.

  The underlying issue is that the credentials have to go somewhere.  The RADIUS server has to read the credentials from somewhere, so you're just moving the problem down one level.

  Or, you store the credentials in a different format (keytab, certificate, etc.)  In which case an attacker who can read the local file system can still do everything that the RADIUS server can do.

  The only thing gained by using a keytab file is some happy thoughts that the "password" isn't stored as clear-text.  But the credentials are still accessible to any attacker, for use as they please.

> it is entirely possible to use the keytab and connect to a properly configured mariadb instance with a keytab.  can the functionality to authenticate to databases like mariadb with the keytab be added?

  What API should we use?  The MySQL documentation shows APIs which take username and password:

https://dev.mysql.com/doc/c-api/8.0/en/mysql-real-connect.html

  Which API takes a keytab?

  I've taken a quick look around the MySQL client documentation, and there's nothing obvious.

  Alan DeKok.



More information about the Freeradius-Users mailing list