Re: (ASCEND) user passwords in radius file

To: Ascend Users <ascend-users@bungi.com>
Subject: Re: (ASCEND) user passwords in radius file
From: Andre Beck <beck@ibh.de>
Date: Mon, 4 May 1998 14:54:00 +0200
In-Reply-To: <C12565F8.00349D17.00@OBI_Fax01.obi.de>; from s.lux@obi.de on Sat, May 02, 1998 at 11:34:40AM +0200
Organization: IBH Prof. Dr. Horn GmbH - Xlink PoP Dresden
References: <C12565F8.00349D17.00@OBI_Fax01.obi.de>
Sender: owner-ascend-users@max.bungi.com

On Sat, May 02, 1998 at 11:34:40AM +0200, s.lux@obi.de wrote:
> 
> Is there a way to encrypt the passwords in the radius users file?

Would be a Radius-Server specific thingy, but there is generally no
problem with using a hashed password there (would probably be a 2
line hack to get crypt(3) into ascendd) besides the one you already
know:

> I know the possibility of getting the passwords from the unix passwd file,
> but I have heard that this does not works togehther wit
> CHAP-authentification. Is this true and if so, what is the reason?

The same reason why CHAP wouldn't work with hashed passwords in the
users file itself: CHAP is a challenge handshake that _requires_ access
to the cleartext password to compute and verify the challenge and the
response. There is no way around that. PAP on the other hand transmits
the password as cleartext and can thus verify that it hashes to the same
value the original password did and thus can utilize the typical Unix
password scheme. So your options are:

1) PAP:  Cleartext passwords on the road - bad.
2) CHAP: Cleartext passwords in files on your servers - not that bad but
         not nice, either.

Generally, there is no solution to this dilemma besides a new authentication
protocol utilizing public key cryptography. And if it should work automati-
cally there is actually no good solution at all. Of course everything depends
on what "encryption" you actually want. If it is not to provide ultimate
security but just to prevent people from getting the plaintext passwords
without any work, you could encrypt them with a secret key that is nowhere
on your machine but in the RADIUS daemon and the program that generates the
passwords. It will require the attacker to steal both the user file and
the mentioned binaries and to analyze the binaries in order to get back
to your passwords. This is of course possible and not even complicated for
any attacker with interest, but it can easily block out tertiary level
hackers and playaround-kids which for some reason got access to your
users file.

-- 

Kanther-Line: PGP SSH IDEA MD5 GOST RIPE-MD160 3DES RSA FEAL32 RC4

+-o-+--------------------------------------------------------+-o-+
| o |               \\\- Brain Inside -///                   | o |
| o |                   ^^^^^^^^^^^^^^                       | o |
| o | Andre' Beck  (ABPSoft)   AB10-RIPE   XLink PoP Dresden | o |
+-o-+--------------------------------------------------------+-o-+
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

References:

(ASCEND) user passwords in radius file

From: s.lux@obi.de

Prev by Date: Re: (ASCEND) user passwords in radius file (fwd)
Next by Date: Re: (ASCEND) Cistron Radius and MAX4000?
Prev by thread: (ASCEND) user passwords in radius file
Next by thread: Re: (ASCEND) user passwords in radius file
Index(es):
- Main
- Thread