Alan DeKok escribió:
Fco. Javier Melero wrote:
Well, surely I'm missing something, but that's the way I've found to
store clear text passwords in LDAP keeping some peace of mind. What
could be the alternative?
Storing them as clear-text.
Encrypting them adds *zero* benefit, because application that needs
the passwords has to be given the decryption key. Since the decryption
key is scattered all over the place in your network, it's not adding
much security.
To put it another way, almost no one does what you're doing.
Maybe some context will help. What we are trying to do is implement a
802.1x wireless lan which can allow multiple EAP methods under the same
SSID. If you want TTLS/PAP and PEAP/MSCHAP working together the only way
is to use clear text passwords (or I think so). In our scenario, which
is only a test so far, there will be no applications using this
attribute. Radius server will be the only one which will have the
private key, and hopefully keeping it as save as we could the whole
system will have a reasonable security.
Are we driving ourselves insane? Tell me the truth ;-)
Have a nice weekend.
--
=========================================================
Fco. Javier Melero de la Torre
Universidad Carlos III de Madrid
Servicio de Informática y Comunicaciones
Area de Seguridad y Comunicaciones
(https://asyc.uc3m.es)
e-mail: [EMAIL PROTECTED]
phone: (+34) 916.249.980, (+34) 918.561.341
fax: (+34) 916.249.430
=========================================================
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
