Freeradius sql module usage
Dave Funk
dbfunk at engineering.uiowa.edu
Tue Jul 23 17:23:10 UTC 2024
On Tue, 23 Jul 2024, Alan Smith via Freeradius-Users wrote:
> A project I am working on does not allow storage of plain text passwords in the config file. That is why.
> On Tuesday, 23 July 2024 at 09:39:41 pm SGT, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Jul 23, 2024, at 1:12 AM, Alan Smith via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> How may I encrypt the password used in Connection info in SQL module? Kindly advise. Thanks.
>
> What problem would that solve?
>
> Think about it for a bit. The server has to be able to decrypt that password somehow. So where is the decryption key stored? How can the server get access to it?
It depends on the details of your system.
1) if radius daemon and MySQL daemon reside on the same host you can use Unix
access control and base it on UID.
2) if your system has some kind of hardware key escrow device, store the
credentials in that
3) Store the password in an encrypted form and have the radius daemon prompt the
user for the decrypt key at startup (or retrieve it from some kind of key
escrow service, think "ssh-agent" like structure).
4) if your MySQL server supports some other kind of authentication mechanism (EG
GSSAPI) use that instead of passwords.
5) ask other people in your organization how they're handling this particular
mandate.
Good luck, aint bureaucracy fun...
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
More information about the Freeradius-Users
mailing list