Alan DeKok
2014-11-10 19:05:49 UTC
E.S. Rosenberg wrote:
> Which in turn links to a nice page by Alan DeKok here:
> http://deployingradius.com/documents/protocols/compatibility.html
>
> Which left me asking myself 2 questions:
> 1. Did anything change in the past 5 years, is there any decently
> supported protocol that does support hashed passwords (other then
> PAP)?
MD5 etc. hasn't changed in the last 5 years. So the table (and
conclusions) haven't changed either.
> 2. How can it be that all these protocols were designed with the idea
> that the auth server should have a cleartext copy of the users'
> password, haven't we all known for years now that that's a bad idea?
Because different people have different needs. And most people don't
think about RADIUS until it's too late to change their password storage
method.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> Which in turn links to a nice page by Alan DeKok here:
> http://deployingradius.com/documents/protocols/compatibility.html
>
> Which left me asking myself 2 questions:
> 1. Did anything change in the past 5 years, is there any decently
> supported protocol that does support hashed passwords (other then
> PAP)?
MD5 etc. hasn't changed in the last 5 years. So the table (and
conclusions) haven't changed either.
> 2. How can it be that all these protocols were designed with the idea
> that the auth server should have a cleartext copy of the users'
> password, haven't we all known for years now that that's a bad idea?
Because different people have different needs. And most people don't
think about RADIUS until it's too late to change their password storage
method.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html