>I've been given a project to integrate our RADIUS authentication
>database with our NIS setup. This strikes me as either a bad
>idea or an unworkable one.
It's quite workable, if....
>I need to stick to either PAP or CHAP,
>not something like tokens or Kerberos, etc.
Tokens are not mutally exclusive with PAP or CHAP. I
believe Kerberos is (if you're talking about all the way
to the dial-up clients.)
>My understanding is
>that PAP passes the auth info unencrypted for the first leg of the
>request, i.e., from the user to the NAS box.
Correct.
>Since passing
>passwords in the clear is not the best, I'd like to use CHAP.
>However, CHAP requires that the auth database keep passwords
>unencrypted.
You've hit upon the key tradeoff. You have to decide whether you want
to keep passwords around in the clear on a machine you control,
or whether you trust the security of the phone company and want
to keep them stored hashed. If you're talking about some sort of
VPN arrangement, where the PAP happens across an ecnrypted
channel, you're OK.
>That kind of presents a problem when talking about
>integration with NIS or plain old /etc/password and /etc/shadow.
Works fine with PAP. For CHAP, you'd have to crack the passwords,
or force everyone to do a password change and capture the cleartext.
If you force the users to use a particular password change mechanism,
you can arrange for the files to stay in sync.
>My questions really boil down to these:
>1. Is CHAP the obviously better security choice than PAP that I
>think it is, even with unencrypted passwords on the RADIUS
>server?
You have to decide whether you trust your own security more
or less than the phone company's. Probably an easy choice for
most of us.
>2. Is integrating the RADIUS authentication info with any other
>general authentication scheme, including NIS, a bad idea?
Once you start down the single signon path, you're stuck
with the weakest link for security. About the only way to
fix that is to use one-time passwords. That's cheating, becuase
it forces all authentication mechanisms to use one central
authentication authority.
>3. Since I'm dealing with close to 1000 RAS users, is putting all
>of the users' info into the RADIUS software (SteelBelted RADIUS)
>a good idea or is there a better way to handle large numbers of
>users?
RADIUS or TACACS. Maybe LDAP soon. Other choices are
NT SAM (for MS RAS) and various other proprietary. Since you're
in the "UNIX group" I'm guessing you don't use NT as your NAS,
even though you're using SteelBelted RADIUS, which is known
for being able to integrate with the SAM.
Ryan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
