Discussion:
Secure auth methods pam_radius
Bob Probert
2013-12-03 02:39:05 UTC
Permalink
Hello all,

I would like to use the PAM Radius module to authenticate Linux servers
against my Radius server.

I compiled and configured the PAM module, things appear to be working,
however I would like to use a more secure authentication method than PAP.

Is it possible to force the PAM module to use a more secure method? What
does the community endorse as the most secure authentication method for
Radius.

Thanks!

Bob
Alan DeKok
2013-12-03 13:59:11 UTC
Permalink
Post by Bob Probert
I compiled and configured the PAM module, things appear to be working,
however I would like to use a more secure authentication method than PAP.
What do you mean "more secure" ? The system running PAM has the
clear-text password for the user. The RADIUS server has the clear-text
password for the user. The RADIUS protocol secures the password when
it's sent in the network.

What, exactly do you mean?

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bob Probert
2013-12-03 16:40:52 UTC
Permalink
Alan,

Thanks for the reply!

In my understanding RADIUS provides security in the form of an MD5 hash --
not ideal.

Has RADSEC been implemented for this PAM module? If not, how is the
community sanitizing this traffic? IPSEC? STUNNEL?

Thanks!
Post by Alan DeKok
Post by Bob Probert
I compiled and configured the PAM module, things appear to be working,
however I would like to use a more secure authentication method than PAP.
What do you mean "more secure" ? The system running PAM has the
clear-text password for the user. The RADIUS server has the clear-text
password for the user. The RADIUS protocol secures the password when
it's sent in the network.
What, exactly do you mean?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
2013-12-03 17:02:33 UTC
Permalink
In my understanding RADIUS provides security in the form of an MD5 hash -- not ideal.
No, it's not an MD5 hash, an MD5 hash wouldn't be reversible.
Has RADSEC been implemented for this PAM module?
No, patches welcome.

Arran Cudbard-Bell <***@freeradius.org>
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2013-12-03 18:11:17 UTC
Permalink
Post by Bob Probert
In my understanding RADIUS provides security in the form of an MD5 hash
-- not ideal.
I said RADIUS secures the password. I meant that.

It helps to understand the system before trying to fix it.
Post by Bob Probert
Has RADSEC been implemented for this PAM module? If not, how is the
community sanitizing this traffic? IPSEC? STUNNEL?
You're asking the wrong questions. Your questions are based on a
false assumption: that the password is insecure in normal RADIUS.

There is no evidence to believe that this is true.

If you want the traffic to be *more* secure, set the RADIUS server to
be 127.0.0.1, and run a RADIUS proxy on the local machine. It can then
do RadSec to anywhere you want.

Or, you can configure IPSec, so that the RADIUS PAM module
communicates with the RADIUS server over a network secured by IPSec.

Both solutions require *zero* changes to the PAM module. All they
require is a little knowledge of networking.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bob Probert
2013-12-03 19:57:46 UTC
Permalink
Alan and Arran,

Thanks for your response.

The security of Radius has been questioned on a number of occasions, it not
out of line to question it on the Radius Users mailing list.
Post by Alan DeKok
Post by Bob Probert
In my understanding RADIUS provides security in the form of an MD5 hash
-- not ideal.
I said RADIUS secures the password. I meant that.
It helps to understand the system before trying to fix it.
Post by Bob Probert
Has RADSEC been implemented for this PAM module? If not, how is the
community sanitizing this traffic? IPSEC? STUNNEL?
You're asking the wrong questions. Your questions are based on a
false assumption: that the password is insecure in normal RADIUS.
There is no evidence to believe that this is true.
If you want the traffic to be *more* secure, set the RADIUS server to
be 127.0.0.1, and run a RADIUS proxy on the local machine. It can then
do RadSec to anywhere you want.
Or, you can configure IPSec, so that the RADIUS PAM module
communicates with the RADIUS server over a network secured by IPSec.
Both solutions require *zero* changes to the PAM module. All they
require is a little knowledge of networking.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Alan DeKok
2013-12-03 20:22:21 UTC
Permalink
Post by Bob Probert
The security of Radius has been questioned on a number of occasions, it
not out of line to question it on the Radius Users mailing list.
You're still not clear on what I was saying. It's OK to ask questions
the security of RADIUS. It's less OK to ask questions and then argue
with the answers.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...