[RADIATOR] Password/certificate security seems next to none on Radiator server
Nadav Hod
nadav.hod at comm-it.co.il
Fri Oct 2 09:45:50 CDT 2015
Hi Tuure,
Moving the secrets from one cleartext file to another isn't secure, it's just a way to break the code between more files. I'm interested in a secure way to access credentials which are kept both encrypted and only accessed when authenticated by a keyfile or something equally strong.
As far as I can tell this doesn't exist today in Radiator, I'm asking this members in this mailing list whether or not they think there is added value in implementing some form of sustainable security for these credentials.
________________________________________
From: radiator-bounces at open.com.au [radiator-bounces at open.com.au] on behalf of Tuure Vartiainen [vartiait at open.com.au]
Sent: Friday, October 02, 2015 3:11 PM
To: radiator at open.com.au
Subject: Re: [RADIATOR] Password/certificate security seems next to none on Radiator server
Hi,
> On 02 Oct 2015, at 14:57, Nadav Hod <nadav.hod at comm-it.co.il> wrote:
>
> I personally am not a big fan of NPS due to its lack of scalability, authentication support and customability, but at least credentials were somewhat secure.
>
if I understood correctly, some sort of wanted kind of protection could be implemented with
using variables for secrets in Radiator config and include definitions of variables
through a script.
E.g.:
DbDir /etc/radiator
include %D/conf_secrets.pl|
<Client 1.2.3.4>
Identifier client1
Secret %{GlobalVar:client1_secret}
</Client>
<AuthBy FILE>
EAPTLS_PrivateKeyPassword %{GlobalVar:tls_cert_key_pass}
</AuthBy>
The protection of secrets is then implemented in conf_secrets.pl script.
When authorized to output, it should print stdout:
DefineGlobalVar client1_secret mysecret
DefineGlobalVar tls_cert_key_pass whatever
BR
--
Tuure Vartiainen <vartiait at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
More information about the radiator
mailing list