Hello,
I've been given a project to integrate our RADIUS authentication
database with our NIS setup. This strikes me as either a bad
idea or an unworkable one. I need to stick to either PAP or CHAP,
not something like tokens or Kerberos, etc. My understanding is
that PAP passes the auth info unencrypted for the first leg of the
request, i.e., from the user to the NAS box. Since passing
passwords in the clear is not the best, I'd like to use CHAP.
However, CHAP requires that the auth database keep passwords
unencrypted. That kind of presents a problem when talking about
integration with NIS or plain old /etc/password and /etc/shadow.
My questions really boil down to these:
1. Is CHAP the obviously better security choice than PAP that I
think it is, even with unencrypted passwords on the RADIUS
server?
2. Is integrating the RADIUS authentication info with any other
general authentication scheme, including NIS, a bad idea?
3. Since I'm dealing with close to 1000 RAS users, is putting all
of the users' info into the RADIUS software (SteelBelted RADIUS)
a good idea or is there a better way to handle large numbers of
users?
Sorry if these are basic questions, I trust the group to provide
good info to those of us who haven't done this for 10 (or 20+)
years.
Thanks,
Brent Stackhouse
UNIX Group
National Instruments
Austin, Texas
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
