Re: radius-livingston 2.1
On Mon, Jan 15, 2001 at 03:30:50PM +0100, Florian Steurer wrote:
> hey!
> I need some help with radius-livingston 2.1, hope I'm not in the wrong
> list, couldn't find the right list a livingston.com. Anyway, that's the
> problem: I run radius 2.1, the users were in the <users>-file and the
> password was in plain-text. Now I use the "Crypt-Password" check item -
> that means I'm able to encrypt the password (with c- function crypt()),
> but it seems that it only works when I use PAP. And if I use PAP, the
> transmission isn't encrypted ( using CHAP, it is -> correct me if I'm
> wrong!). But I need a way to encrypt the passwords AND the transmission.
> Ideas?
You can't.
CHAP is a challenge-response mechnism. To work, BOTH ends must have a
copy of the real password: not a hash of it.
The security risk on CHAP is that both ends must have a cleartext
password, which is clearly a bad thing to keep lying about on a server.
The risk of PAP is that the password between the PPP client and PPP
server is cleartext (but it is -not- cleartext between the NAS box and
the server).
Make your decision based upon what is more of a risk: is it worse to
have a list of -all- your user passwords in cleartext or the risk that
if one user's phone line is tapped, that their password may be stolen?
In virtually all situations, PAP comes out the winner.
--
CueCat decoder .signature by Larry Wall:
#!/usr/bin/perl -n
printf "Serial: %s Type: %s Code: %s\n", map { tr/a-zA-Z0-9+-/ -_/; $_ = unpack
'u', chr(32 + length()*3/4) . $_; s/\0+$//; $_ ^= "C" x length; } /\.([^.]+)/g;
Reply to: