RE: [pfSense Support] FreeRADIUS Package
Is there a better place to post/email this stuff? I don't seem to be getting much in the way of responses. I have some nice additions to the FreeRADIUS package that I want to submit, but I would like to add the logging support before I do. Trying to contribute! Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 2:55 PM To: support@pfsense.com Subject: RE: [pfSense Support] FreeRADIUS Package Any hints on how to add logging support? I would really like to add this feature to the package, but I haven't been able to find any information. I've looked at practically every .xml file in http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/ , and I haven't found a package with logging support yet. I've also looked at the CoreGUI docs at http://devwiki.pfsense.org/CoreGUI , but there is no mention of adding logging support anywhere. Can anyone provide some docs/input on how to do this? Having to ssh into the pfSense box and tail -f /var/log/radius.log is a pain, and I would rather just go to a web based log. Also, when using a textarea widget, is there a way to preserve the carriage returns in the data when it is subsequently received? It isn't affecting any of the functionality that I've added, it would just be nice if it would preserve the formatting so that when the data for that field is subsequently retrieved, it looks the same way it did when I put it in. Again, I didn't see anything in the CoreGUI docs that says whether or not this is possible. Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis Sent: Thursday, February 14, 2008 2:45 PM To: support@pfsense.com Subject: RE: [pfSense Support] FreeRADIUS Package I installed Squid (per Martin to see the syntax for some of the XML), but when I go to the Package Logs page, I get: No packages with logging facilities are currently installed. Also, would you happen to know the options you guys would want me to use with diff using cygwin so I can send up my changes so far? (I did the VLAN support already, figured I'd send that up now and then follow up with the logging stuff). Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 10:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] FreeRADIUS Package On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: The FreeRadius log seems to be located at /var/log/radius.log. According to the current package, there is no logging set up in the package, so you basically have to ssh into pfSense to look at the log. What's involved in web enabling the FreeRADIUS log? (looked in the forums, didn't find much.) Does it take something more than just adding a reference to the location of the log in the .xml file somewhere? I believe the squid package makes usage of this. Cannot recall 100% but I do know one of our packages has this implemented that should be a good guide. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRADIUS Package
On 3/6/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Is there a better place to post/email this stuff? I don't seem to be getting much in the way of responses. I have some nice additions to the FreeRADIUS package that I want to submit, but I would like to add the logging support before I do. Trying to contribute! I would imagine that is broken and you will need to roll your own log viewer. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] FreeRADIUS Package
The pfSense log viewer is broken? Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2008 1:02 PM To: support@pfsense.com Subject: Re: [pfSense Support] FreeRADIUS Package On 3/6/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Is there a better place to post/email this stuff? I don't seem to be getting much in the way of responses. I have some nice additions to the FreeRADIUS package that I want to submit, but I would like to add the logging support before I do. Trying to contribute! I would imagine that is broken and you will need to roll your own log viewer. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRADIUS Package
On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: The FreeRadius log seems to be located at /var/log/radius.log. According to the current package, there is no logging set up in the package, so you basically have to ssh into pfSense to look at the log. What's involved in web enabling the FreeRADIUS log? (looked in the forums, didn't find much.) Does it take something more than just adding a reference to the location of the log in the .xml file somewhere? I believe the squid package makes usage of this. Cannot recall 100% but I do know one of our packages has this implemented that should be a good guide. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] FreeRADIUS Package
I installed Squid (per Martin to see the syntax for some of the XML), but when I go to the Package Logs page, I get: No packages with logging facilities are currently installed. Also, would you happen to know the options you guys would want me to use with diff using cygwin so I can send up my changes so far? (I did the VLAN support already, figured I'd send that up now and then follow up with the logging stuff). Thanks, Dimitri Rodis Integrita Systems LLC 2990 S Durango Drive Las Vegas, NV 89117 P: 702.896.7207 F: 702.228.0208 C: 702.296.4217 [EMAIL PROTECTED] -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 10:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] FreeRADIUS Package On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: The FreeRadius log seems to be located at /var/log/radius.log. According to the current package, there is no logging set up in the package, so you basically have to ssh into pfSense to look at the log. What's involved in web enabling the FreeRADIUS log? (looked in the forums, didn't find much.) Does it take something more than just adding a reference to the location of the log in the .xml file somewhere? I believe the squid package makes usage of this. Cannot recall 100% but I do know one of our packages has this implemented that should be a good guide. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRADIUS Package
On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Where would I go if I wanted to grab the source of the FreeRADIUS package and potentially add some features? http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/ I am looking to add some support for additional parameters to return to radius clients—for example, I am setting up a network for a couple of office buildings, and they purchased two HP 3500yl switches. I would like to be able to provision tenants for NATted internet access, or provision them for direct internet access based on the mac based authentication scheme that the hp switches have. It is possible to dynamically assign clients to a particular VLAN on those switches via a radius server based on the response from the radius server—so, since we are already using pfSense out there, I figure that maybe I can look into adding support for some of these additional radius user/client options in the FreeRADIUS package and contribute them back. http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradius.inc http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradius.xml http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradiusclients.xml http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradiussettings.xml Looking forward to seeing your updates, Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] FreeRADIUS Package
Once I have changes made, how should I go about getting these changes into a pfSense install to test before I send any patches up? Should I be using the dev iso? Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, February 11, 2008 2:38 PM To: support@pfsense.com Subject: Re: [pfSense Support] FreeRADIUS Package On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Where would I go if I wanted to grab the source of the FreeRADIUS package and potentially add some features? http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/ I am looking to add some support for additional parameters to return to radius clients-for example, I am setting up a network for a couple of office buildings, and they purchased two HP 3500yl switches. I would like to be able to provision tenants for NATted internet access, or provision them for direct internet access based on the mac based authentication scheme that the hp switches have. It is possible to dynamically assign clients to a particular VLAN on those switches via a radius server based on the response from the radius server-so, since we are already using pfSense out there, I figure that maybe I can look into adding support for some of these additional radius user/client options in the FreeRADIUS package and contribute them back. http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradius.inc http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradius.xml http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradiusclien ts.xml http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradiussetti ngs.xml Looking forward to seeing your updates, Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] FreeRADIUS Package
The FreeRadius log seems to be located at /var/log/radius.log. According to the current package, there is no logging set up in the package, so you basically have to ssh into pfSense to look at the log. What's involved in web enabling the FreeRADIUS log? (looked in the forums, didn't find much.) Does it take something more than just adding a reference to the location of the log in the .xml file somewhere? Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Monday, February 11, 2008 4:29 PM To: support@pfsense.com Subject: RE: [pfSense Support] FreeRADIUS Package Yep, got it figured out. I just ssh'd into the pfSense install and ftp'd the files out, made the changes, and ftp'd them back into /usr/local/pkg... I just made what I think are the appropriate mods to the files, just need to test them with the switches and make sure everything works as expected. Once they do, I'll send them up. Thanks-- Dimitri Rodis Integrita Systems LLC -Original Message- From: Fuchs, Martin [mailto:[EMAIL PROTECTED] Sent: Monday, February 11, 2008 3:52 PM To: support@pfsense.com Subject: AW: [pfSense Support] FreeRADIUS Package Or just replace the chenged files in your pfsense-install (using putty or WinSCP when using windows) The files are mostly placed under /usr/local/xxx (have a look there) Try your changes and fix all errors... then send your patches using diff-rub to [EMAIL PROTECTED] :-) Martin -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 12. Februar 2008 00:26 An: support@pfsense.com Betreff: Re: [pfSense Support] FreeRADIUS Package On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Once I have changes made, how should I go about getting these changes into a pfSense install to test before I send any patches up? Should I be using the dev iso? Look in the packages are on the forum where there is a good howto. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRADIUS Package
On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Once I have changes made, how should I go about getting these changes into a pfSense install to test before I send any patches up? Should I be using the dev iso? Look in the packages are on the forum where there is a good howto. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] FreeRADIUS Package
Yep, got it figured out. I just ssh'd into the pfSense install and ftp'd the files out, made the changes, and ftp'd them back into /usr/local/pkg... I just made what I think are the appropriate mods to the files, just need to test them with the switches and make sure everything works as expected. Once they do, I'll send them up. Thanks-- Dimitri Rodis Integrita Systems LLC -Original Message- From: Fuchs, Martin [mailto:[EMAIL PROTECTED] Sent: Monday, February 11, 2008 3:52 PM To: support@pfsense.com Subject: AW: [pfSense Support] FreeRADIUS Package Or just replace the chenged files in your pfsense-install (using putty or WinSCP when using windows) The files are mostly placed under /usr/local/xxx (have a look there) Try your changes and fix all errors... then send your patches using diff-rub to [EMAIL PROTECTED] :-) Martin -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 12. Februar 2008 00:26 An: support@pfsense.com Betreff: Re: [pfSense Support] FreeRADIUS Package On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Once I have changes made, how should I go about getting these changes into a pfSense install to test before I send any patches up? Should I be using the dev iso? Look in the packages are on the forum where there is a good howto. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRadius Package - slight security issue
On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: While looking through the config.xml file to see if I could spot anything unusual (to help me fix the last issue I posted about), I noticed the FreeRadius config... The problem that I saw is that the passwords are stored in clear text. I would think that the passwords should be at least base64encoded for storage, so at least they would be as secure as the locally managed passwords, native to pfSense and Monowall. Actually, base64encoding would still be less secure (and as an application auditor, wouldn't provide more than another 10 seconds of delay in retrieving them) than local passwords which are one way hashed. I don't know anything about the FreeRadius package so I can't comment directly on what it requires or what the passwords it stores in our config.xml are supposed to resemble. It's an issue, I don't know how to fix it at this point as I've never even looked at that part of code. --Bill --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRadius Package - slight security issue
Contact the authors of freeradius then. This setup would be no different from freebsd in the back of your room running the same configuration! On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: While looking through the config.xml file to see if I could spot anything unusual (to help me fix the last issue I posted about), I noticed the FreeRadius config... The problem that I saw is that the passwords are stored in clear text. I would think that the passwords should be at least base64encoded for storage, so at least they would be as secure as the locally managed passwords, native to pfSense and Monowall. Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] FreeRadius Package - slight security issue
Bill, Well, yes, I realize that base64encoding doesn't provide much in the way of security... But it's better than the data being completely in the clear... I have some encryption/decryption code around here somewhere that could probably be used, but of course the key would have to be in the code, where it could be seen, so even that doesn't provide great security... Paul -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 11:01 AM To: Paul Taylor Cc: support@pfsense.com Subject: Re: [pfSense Support] FreeRadius Package - slight security issue On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: While looking through the config.xml file to see if I could spot anything unusual (to help me fix the last issue I posted about), I noticed the FreeRadius config... The problem that I saw is that the passwords are stored in clear text. I would think that the passwords should be at least base64encoded for storage, so at least they would be as secure as the locally managed passwords, native to pfSense and Monowall. Actually, base64encoding would still be less secure (and as an application auditor, wouldn't provide more than another 10 seconds of delay in retrieving them) than local passwords which are one way hashed. I don't know anything about the FreeRadius package so I can't comment directly on what it requires or what the passwords it stores in our config.xml are supposed to resemble. It's an issue, I don't know how to fix it at this point as I've never even looked at that part of code. --Bill --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRadius Package - slight security issue
On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: Bill, Well, yes, I realize that base64encoding doesn't provide much in the way of security... But it's better than the data being completely in the clear... I have some encryption/decryption code around here somewhere that could probably be used, but of course the key would have to be in the code, where it could be seen, so even that doesn't provide great security... And I disagree. base64encoding provides zero security. Obscuring the data is no excuse for real protection. If we can protect it the right way (a one way hash), we will. Anything less than a one-way hash means it's reversible, passwords shouldn't be reversible in any way shape or form - I'd rather have glaring plaintext passwords reminding me to do something about them than something that at first glance passes muster. I'll personally back out any commit that does a half-ass job at it (not that I expect anyone to make such a commit). Don't hand out your config.xml and you'll be fine. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRadius Package - slight security issue
Not to mention I have to stress that this is no different from running free-radius in a non pfSense environment. Your real beef is with the freeradius authors, not us. Scott On 8/5/05, Bill Marquette [EMAIL PROTECTED] wrote: On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: Bill, Well, yes, I realize that base64encoding doesn't provide much in the way of security... But it's better than the data being completely in the clear... I have some encryption/decryption code around here somewhere that could probably be used, but of course the key would have to be in the code, where it could be seen, so even that doesn't provide great security... And I disagree. base64encoding provides zero security. Obscuring the data is no excuse for real protection. If we can protect it the right way (a one way hash), we will. Anything less than a one-way hash means it's reversible, passwords shouldn't be reversible in any way shape or form - I'd rather have glaring plaintext passwords reminding me to do something about them than something that at first glance passes muster. I'll personally back out any commit that does a half-ass job at it (not that I expect anyone to make such a commit). Don't hand out your config.xml and you'll be fine. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] FreeRadius Package - slight security issue
Bill, Sure, if someone gets a hold of the config.xml file, no amount of base64encoding will stop them from getting a password.. But, if someone is in the same room with you looking over your shoulder while you are looking through the config.xml file, there is no need to give them a clear view of usernames and passwords. In a corporate environment, people can walk by your office or cube any time... We have found ourselves in this very situation more than once... Having passwords in a file that we were working on in clear text, when someone unexpectedly dropped by.. In our situation, we are pretty out-of-the-way, but in most corporate environments, that just isn't the case... People are crammed in cubes right next to each other, and they might not even be doing related jobs. Paul -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 11:17 AM To: Paul Taylor Cc: support@pfsense.com Subject: Re: [pfSense Support] FreeRadius Package - slight security issue On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: Bill, Well, yes, I realize that base64encoding doesn't provide much in the way of security... But it's better than the data being completely in the clear... I have some encryption/decryption code around here somewhere that could probably be used, but of course the key would have to be in the code, where it could be seen, so even that doesn't provide great security... And I disagree. base64encoding provides zero security. Obscuring the data is no excuse for real protection. If we can protect it the right way (a one way hash), we will. Anything less than a one-way hash means it's reversible, passwords shouldn't be reversible in any way shape or form - I'd rather have glaring plaintext passwords reminding me to do something about them than something that at first glance passes muster. I'll personally back out any commit that does a half-ass job at it (not that I expect anyone to make such a commit). Don't hand out your config.xml and you'll be fine. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRadius Package - slight security issue
This whole argument is pointless. If this is really this big of a problem you have these choices: 1. Dont use freeradius and use a seperate server where you will be entering these configs in _PLAIN TEXT_ as well. 2. Dont use pfSense Scott On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: Bill, Sure, if someone gets a hold of the config.xml file, no amount of base64encoding will stop them from getting a password.. But, if someone is in the same room with you looking over your shoulder while you are looking through the config.xml file, there is no need to give them a clear view of usernames and passwords. In a corporate environment, people can walk by your office or cube any time... We have found ourselves in this very situation more than once... Having passwords in a file that we were working on in clear text, when someone unexpectedly dropped by.. In our situation, we are pretty out-of-the-way, but in most corporate environments, that just isn't the case... People are crammed in cubes right next to each other, and they might not even be doing related jobs. Paul -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 11:17 AM To: Paul Taylor Cc: support@pfsense.com Subject: Re: [pfSense Support] FreeRadius Package - slight security issue On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: Bill, Well, yes, I realize that base64encoding doesn't provide much in the way of security... But it's better than the data being completely in the clear... I have some encryption/decryption code around here somewhere that could probably be used, but of course the key would have to be in the code, where it could be seen, so even that doesn't provide great security... And I disagree. base64encoding provides zero security. Obscuring the data is no excuse for real protection. If we can protect it the right way (a one way hash), we will. Anything less than a one-way hash means it's reversible, passwords shouldn't be reversible in any way shape or form - I'd rather have glaring plaintext passwords reminding me to do something about them than something that at first glance passes muster. I'll personally back out any commit that does a half-ass job at it (not that I expect anyone to make such a commit). Don't hand out your config.xml and you'll be fine. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRadius Package - slight security issue
Get a privacy screen for your monitor. Or get a mirror for the monitor so you can see the corporate spies. Or retrieve the config file via status.php which will sanitize the passwords. Masking the passwords w/ base64 doesn't solve the problem and we will _NOT_ implement a half assed solution. --Bill On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: Bill, Sure, if someone gets a hold of the config.xml file, no amount of base64encoding will stop them from getting a password.. But, if someone is in the same room with you looking over your shoulder while you are looking through the config.xml file, there is no need to give them a clear view of usernames and passwords. In a corporate environment, people can walk by your office or cube any time... We have found ourselves in this very situation more than once... Having passwords in a file that we were working on in clear text, when someone unexpectedly dropped by.. In our situation, we are pretty out-of-the-way, but in most corporate environments, that just isn't the case... People are crammed in cubes right next to each other, and they might not even be doing related jobs. Paul -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 11:17 AM To: Paul Taylor Cc: support@pfsense.com Subject: Re: [pfSense Support] FreeRadius Package - slight security issue On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: Bill, Well, yes, I realize that base64encoding doesn't provide much in the way of security... But it's better than the data being completely in the clear... I have some encryption/decryption code around here somewhere that could probably be used, but of course the key would have to be in the code, where it could be seen, so even that doesn't provide great security... And I disagree. base64encoding provides zero security. Obscuring the data is no excuse for real protection. If we can protect it the right way (a one way hash), we will. Anything less than a one-way hash means it's reversible, passwords shouldn't be reversible in any way shape or form - I'd rather have glaring plaintext passwords reminding me to do something about them than something that at first glance passes muster. I'll personally back out any commit that does a half-ass job at it (not that I expect anyone to make such a commit). Don't hand out your config.xml and you'll be fine. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] FreeRadius Package - slight security issue
I didn't mean this to be any sort of argument, but you seem to be taking it as a personal attack... I was just pointing out something that I thought could be an issue. If you don't agree about this being an issue, that's fine.. Leave things the way they are, I'll cope.. I was just trying to provide feedback, which I thought you wanted... Paul -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 11:27 AM To: Paul Taylor Cc: Bill Marquette; support@pfsense.com Subject: Re: [pfSense Support] FreeRadius Package - slight security issue This whole argument is pointless. If this is really this big of a problem you have these choices: 1. Dont use freeradius and use a seperate server where you will be entering these configs in _PLAIN TEXT_ as well. 2. Dont use pfSense Scott On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: Bill, Sure, if someone gets a hold of the config.xml file, no amount of base64encoding will stop them from getting a password.. But, if someone is in the same room with you looking over your shoulder while you are looking through the config.xml file, there is no need to give them a clear view of usernames and passwords. In a corporate environment, people can walk by your office or cube any time... We have found ourselves in this very situation more than once... Having passwords in a file that we were working on in clear text, when someone unexpectedly dropped by.. In our situation, we are pretty out-of-the-way, but in most corporate environments, that just isn't the case... People are crammed in cubes right next to each other, and they might not even be doing related jobs. Paul -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 11:17 AM To: Paul Taylor Cc: support@pfsense.com Subject: Re: [pfSense Support] FreeRadius Package - slight security issue On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: Bill, Well, yes, I realize that base64encoding doesn't provide much in the way of security... But it's better than the data being completely in the clear... I have some encryption/decryption code around here somewhere that could probably be used, but of course the key would have to be in the code, where it could be seen, so even that doesn't provide great security... And I disagree. base64encoding provides zero security. Obscuring the data is no excuse for real protection. If we can protect it the right way (a one way hash), we will. Anything less than a one-way hash means it's reversible, passwords shouldn't be reversible in any way shape or form - I'd rather have glaring plaintext passwords reminding me to do something about them than something that at first glance passes muster. I'll personally back out any commit that does a half-ass job at it (not that I expect anyone to make such a commit). Don't hand out your config.xml and you'll be fine. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
