I rather preffer pap, you just only put on risk one account not everibody Le lundi 4 Octobre 2004 10:59, [EMAIL PROTECTED] a écrit : > Luis Daniel Lucio Quiroz schrieb: > > Isn't it a seccurity problem clear tex password to permit > > CHAP? > > Depending on your configuration, it may be one. > Essentially, there are two possible points of attack: > - the network: Try to intercept "the password" during > transfer. > - the configuration files: Try to read/modify user > passwords. > Now you can use either "PAP" (transfer clear-text > password and compare it's hash value with the > hash value stored on the server) - safe against stealing > password from server (only hash value is stored), but > risky if your network is not secure. Or you can use > "CHAP" (get a challenge, encrypt the challenge using > your password as "encryption key", server needs to > know the correct "encryption key" to verify the > correctness of the clients encryption) - safe against > snooping on the network, but password is stored on > the server. > > >From my point of view, if you can steal passwords from > > the server, you likely can steal information needed to > send "false" accept packets as well, i.e. if an attacker > can get to the CHAP passwords, your security is > compromised anyway and there (usually) is more > interesting stuff for the attacker than stealing passwords. > OTOH, network sniffing is "easily" done, so PAP really > isn't a good alternative, even though it's not quite as dumb > as my description makes it sound (it's not really clear text, > it's encrypted usind the shared RADIUS secret, but there > you can try dictionary attacks and it's stored on both client > and server in clear text, so if you think, CHAP is a problem, > than PAP is no better than a clear-text password transfer). > > Regards, > Stefan > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
