Re: [RADIATOR] Password/certificate security seems next to none on Radiator server

Fri, 02 Oct 2015 07:46:38 -0700 

Hi Tuure,

Moving the secrets from one cleartext file to another isn't secure, it's just a 
way to break the code between more files. I'm interested in a secure way to 
access credentials which are kept both encrypted and only accessed when 
authenticated by a keyfile or something equally strong. 

As far as I can tell this doesn't exist today in Radiator, I'm asking this 
members in this mailing list whether or not they think there is added value in 
implementing some form of sustainable security for these credentials.
________________________________________
From: radiator-boun...@open.com.au [radiator-boun...@open.com.au] on behalf of 
Tuure Vartiainen [varti...@open.com.au]
Sent: Friday, October 02, 2015 3:11 PM
To: radiator@open.com.au
Subject: Re: [RADIATOR] Password/certificate security seems next to none on     
Radiator server

Hi,

> On 02 Oct 2015, at 14:57, Nadav Hod <nadav....@comm-it.co.il> wrote:
>
> I personally am not a big fan of NPS due to its lack of scalability, 
> authentication support and customability, but at least credentials were 
> somewhat secure.
>

if I understood correctly, some sort of wanted kind of protection could be 
implemented with
using variables for secrets in Radiator config and include definitions of 
variables
through a script.

E.g.:

DbDir /etc/radiator
include %D/conf_secrets.pl|

<Client 1.2.3.4>
  Identifier client1
  Secret %{GlobalVar:client1_secret}
</Client>

<AuthBy FILE>
  EAPTLS_PrivateKeyPassword %{GlobalVar:tls_cert_key_pass}
</AuthBy>


The protection of secrets is then implemented in conf_secrets.pl script.
When authorized to output, it should print stdout:

DefineGlobalVar client1_secret mysecret
DefineGlobalVar tls_cert_key_pass whatever


BR
--
Tuure Vartiainen <varti...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to