Luis Daniel Lucio Quiroz schrieb:
> Isn't it a seccurity problem clear tex password to permit
> CHAP?
Depending on your configuration, it may be one.
Essentially, there are two possible points of attack:
- the network: Try to intercept "the password" during
transfer.
- the configuration files: Try to read/modify user
passwords.
Now you can use either "PAP" (transfer clear-text
password and compare it's hash value with the
hash value stored on the server) - safe against stealing
password from server (only hash value is stored), but
risky if your network is not secure. Or you can use
"CHAP" (get a challenge, encrypt the challenge using
your password as "encryption key", server needs to
know the correct "encryption key" to verify the
correctness of the clients encryption) - safe against
snooping on the network, but password is stored on
the server.
>From my point of view, if you can steal passwords from
the server, you likely can steal information needed to
send "false" accept packets as well, i.e. if an attacker
can get to the CHAP passwords, your security is
compromised anyway and there (usually) is more
interesting stuff for the attacker than stealing passwords.
OTOH, network sniffing is "easily" done, so PAP really
isn't a good alternative, even though it's not quite as dumb
as my description makes it sound (it's not really clear text,
it's encrypted usind the shared RADIUS secret, but there
you can try dictionary attacks and it's stored on both client
and server in clear text, so if you think, CHAP is a problem,
than PAP is no better than a clear-text password transfer).
Regards,
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
