On 04/05/13 18:40, Mark McCullough wrote:
On 2013 Apr 5, at 21:28 , Robert Hajime Lanning wrote:
On 04/05/13 17:36, Edward Ned Harvey (lopser) wrote:
I believe radius only handles password authentication. If you have a cert
infrastructure, it's best to use cert first and username/password only as a
second factor.
Even if you have a 9-char long password full of complex mix caps and symbols, a
brute force attack can crack that in days. If you want security, you really
need to go for certs.
A lot of people don't really care about security though. ;-)
Then why everywhere I go that uses things like a RADIUS gateway to AD, my
account gets locked after 3 failed attempts?
Because they don't care about security.
Auto-locking accounts creates a denial of service vulnerability. It becomes
trivial to lock out (and keep locked out) any administrator account, or more
sensitive accounts like database and application accounts.
Real security involves actually securing the host, rather than ignoring it. (I've been
on this soapbox many times before, so I won't repeat myself, much.) Disable unused
accounts, don't just set a "strong" password. If an account can be remotely
logged into and execute arbitrary command, but more than one user has the ability to look
up the authentication credentials, then that account has no individual accountability and
is a weak point on your system. Even more so if it has any privileges beyond regular
user. (One of the worst examples is credentialed scanning that wants unlimited root
access via passwordless sudo).
But on the flip side, the first rule of computer security comes in as well, "Don't
have a computer." (There's no such thing as 100% security.)
What, you wanted me an easy answer?
Admin accounts MUST NOT have the ability to login via wifi/vpn/what
ever. Who lets root/Administrator login to your public accessible WiFi/VPN?
For VPN, I have yet to be at a place that uses Certs. They all use
either password (if they don't care much), or password + token code of
some kind. (I have used RSA SecureID and Verisign VIP.)
BTW, either the Cert MUST be on a PKCS#11 token, or you must be using
passwords with it. Otherwise you are not authenticating the user, you
are authenticating the device.
BTW, this thread was about WiFi, not hosts. And it drifted to the topic
of WPA2-PSK versus WPA2-Enterprise (RADIUS). Of course there is
802.11x, which is usually backed by (again) RADIUS. Usually the RADIUS
server is just a gateway to AD. As AD tends to be the Identity
Management system.
So, in the end, we are just looking for two factor authorization.
Something you have and something you know. Password+Token code or
password+certificate.
The password+token tends to be the most used, as it is the easiest and
most compatible to support.
--
Mr. Flibble
King of the Potato People
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
