Steve Beattie wrote: >Um, there is a wider world than just UNIX and Windows and their host >authentication schemes. What's far more likely is that Earthlink is >using a radius protocol server for user authentication. > >According to the FAQ of at least one of the free implementations of >a radiusd, Cistron/Freeradius, the way the CHAP protocol is specified >*requires* that passwords be stored in the clear on the radius server -- >see <http://www.freeradius.org/faq/cistron.html#4.4>. For the voice of >authority, see section 2.2 "Disadvantages" of RFC 1994 which specifies >the CHAP protocol: <http://www.ietf.org/rfc/rfc1994.txt>. CHAP, as I >recall, is pretty widely used. > I knew things like CHAP and RADIUS were common, but I didn't realize they sucked so hard. >How common it is among ISPs to allow tech support to have access to such >a plaintext database even one user id at a time, I have no idea (I've >never worked in an ISP). But I agree that it's probably a bad practice. > "allow" is an interesting concept in settings where admins have root (because they need it) and one is not running secure operating systems that can separate root privileges ... Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 02:06:20 PDT