Hi, On Thu, Feb 16, 2012 at 10:21:37AM +0000, Peter Moreton wrote: > I have a working RADIUS server, "RADIUS01" running > Centos/Freeradius. Freeradius is configured to store username > and PIN-style passwords in MySQL. To go live with our RADIUS > implementation, I have been tasked with making the selection of > PIN's a self-service process. I'm considering an email-based > approach where u...@foobar.org.uk can email p...@foobar.org.uk in > order to achieve PIN maintenance. (I understand the risk of > email header spoofing).
I really wouldn't use e-mail for this. Once upon a time, e-mail responders were sort-of normal. These days people will just think the system is wierd. Add to that trying to parse the HTML and other **** that people send by e-mail these days. Web interface is most likely the way to go. > Since I don't know Linux terribly well, I'm asking the group if > my proposal is a sensible approach? Am I re-inventing any > wheels? Should I consider an alternative method? I can't guess much about your setup from your e-mail, but I'd probably think through things in something like this order, if they are possible, in decreasing order of security (1 & 2 may not be possible) - 1. Use your central authentication system for your RADIUS auth, and forget about the pin numbers. Then another system is managing the passwords for you. 2. Use your central auth system to authenticate users to a web page, where they can set a pin number in your mysql db. Then you know the right person set the right pin. 3. Allow anyone to request a new pin from a web page by entering in their e-mail address and pin (and existing pin, if already set). The system e-mails them a coded URL, and the new pin becomes active upon visiting the URL in the e-mail (uses e-mail to verify the right person requested the pin as hopefully only they have access to their mailbox; better than looking at the probably spoofed sender of an e-mail received by you). (3a - or replying to the mail, rather than clicking the link, but then you've got to try and process e-mails again...) 4. Web page allows an e-mail address and pin to be entered, verified by existing pin if already set, and sets the pin immediately. Possibly an e-mail sent after the pin has been set, so the user is notified (esp. if someone else changes the pin somehow.) 5. Web page allows anyone to set a pin given an e-mail address and a new pin. About as secure as allowing pins to be set by e-mailing in... If you've got a central auth of some sort, (1) is probably the easiest as it skips the web bit, but there may be reasons why you can't do that. 2-5 (or other similar options) are probably, in their utter simplest form, possible in less than 100 lines of perl or your other favourite scripting language. I'm not really sure where to suggest to begin if you're new to Linux, though - the only thing you might consider, if you're more comfortable in Windows, is writing a web app in something on a Windows system that updates the mysql database. There's no need to have that running on the same box... Cheers, Matthew -- Matthew Newton, Ph.D. <m...@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html