Firstly these are not my servers, or my department. My roll is limited to provisioning the radius server. I did suggest restricted access sudo etc and that didn't fly. I was asked what the implications of the shared secret being visible are, and if there is a way to obfuscate it.
I will forward on this commentary to the relevant persons and leave it with them. Thanks G On Sun, Nov 20, 2011 at 4:35 AM, John Dennis <jden...@redhat.com> wrote: > On 11/18/2011 07:33 PM, Gregory Machin wrote: >> >> Hi. >> We are using using PAM to authenticate users against Freeradius, an >> that is working well. The problem is that the users are 3rd party >> developers and some need root access. The issue we have is that the >> radius secret is stored in clear text file. How can this be hidden so >> that is can be misused ? >> >> Is there a document on hardening Freeradius ? > > Giving 3rd party users root access to servers with sensitive information is > dumb. Nothing is protected once you have root. You need to seriously > reconsider why anybody except a trusted small group of admins need root. > > I can't seriously believe you're asking a question about hardening after > declaring you intend to give root away. The very first rule of hardening is > to restrict root access, all hardening efforts are a complete waste of time > once root is compromised. > > > -- > John Dennis <jden...@redhat.com> > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html