Hi Tuure, Moving the secrets from one cleartext file to another isn't secure, it's just a way to break the code between more files. I'm interested in a secure way to access credentials which are kept both encrypted and only accessed when authenticated by a keyfile or something equally strong.
As far as I can tell this doesn't exist today in Radiator, I'm asking this members in this mailing list whether or not they think there is added value in implementing some form of sustainable security for these credentials. ________________________________________ From: [email protected] [[email protected]] on behalf of Tuure Vartiainen [[email protected]] Sent: Friday, October 02, 2015 3:11 PM To: [email protected] Subject: Re: [RADIATOR] Password/certificate security seems next to none on Radiator server Hi, > On 02 Oct 2015, at 14:57, Nadav Hod <[email protected]> wrote: > > I personally am not a big fan of NPS due to its lack of scalability, > authentication support and customability, but at least credentials were > somewhat secure. > if I understood correctly, some sort of wanted kind of protection could be implemented with using variables for secrets in Radiator config and include definitions of variables through a script. E.g.: DbDir /etc/radiator include %D/conf_secrets.pl| <Client 1.2.3.4> Identifier client1 Secret %{GlobalVar:client1_secret} </Client> <AuthBy FILE> EAPTLS_PrivateKeyPassword %{GlobalVar:tls_cert_key_pass} </AuthBy> The protection of secrets is then implemented in conf_secrets.pl script. When authorized to output, it should print stdout: DefineGlobalVar client1_secret mysecret DefineGlobalVar tls_cert_key_pass whatever BR -- Tuure Vartiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
