On Wed, Jun 12, 2002 at 01:42:39AM -0700, Crispin Cowan wrote: > Steve Beattie wrote: > >According to the FAQ of at least one of the free implementations of > >a radiusd, Cistron/Freeradius, the way the CHAP protocol is specified > >*requires* that passwords be stored in the clear on the radius server -- > >see <http://www.freeradius.org/faq/cistron.html#4.4>. For the voice of > >authority, see section 2.2 "Disadvantages" of RFC 1994 which specifies > >the CHAP protocol: <http://www.ietf.org/rfc/rfc1994.txt>. CHAP, as I > >recall, is pretty widely used. > > > I knew things like CHAP and RADIUS were common, but I didn't realize > they sucked so hard. Thinking about it more, CHAP+RADIUS has a similar architecture to Kerberos -- in Kerberos, a copy of each user's private key (i.e. password) is stored in plaintext on the Key Distribution Center (KDC), the centralized authentication server for Kerberos. The KDC serves nearly the same role as a centralized RADIUS/CHAP server. In neither protocol is the user's password/private key transmitted between the client and the authentication server. Crispin, are you prepared to argue that you didn't realize Kerberos "sucked so hard?" (Crispin and I have tangled in the past over the suckitude of both the architecture and implementation of Kerberos, with him usually defending it. :-) ) -- Steve Beattie Don't trust programmers? <steve@private> Complete StackGuard distro at http://NxNW.org/~steve/ immunix.org http://www.personaltelco.net -- overthrowing QWest, one block at a time.
This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 04:54:57 PDT