[RADIATOR] Password/certificate security seems next to none on Radiator server

[Christian Kratzer]

Hi,

On Fri, 2 Oct 2015, Nadav Hod wrote:
> Hi Tuure,
>
> Moving the secrets from one cleartext file to another isn't secure, it's just a way to break the code between more files.

you still clearly do not understand that there is no way to solve this in software.

Not in radiator or in any other software.

Radiator or any other radius server needs to keep in plaintext:
- credentials it needs to connect to backend databases
- possible certificate private keys or passphrases to unlock those when needed
- radius secrets
- ...

> I'm interested in a secure way to access credentials which are kept both encrypted and only accessed when authenticated by a keyfile or something equally strong.

If credentials are kept encrypted and are decrypted on demand that is equally just obfuscation.

You asked for it and were shown a way how to accomplish this but rejected it.

> As far as I can tell this doesn't exist today in Radiator, I'm asking this members in this mailing list whether or not they think there is added value in implementing some form of sustainable security for these credentials.

Radiator is following best practices already.

Greetings
Christian



-- 
Christian Kratzer                   CK Software GmbH
Email:   ck at cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/