[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Pam and radius

   Date: Fri, 28 Feb 1997 12:53:54 +0200 (EET)
   From: Cristian Gafton <gafton@sorosis.ro>

   > But from my understanding, this would be a psuedo-NIS. 

   Exactly, and much more secure.

Nope; RADIUS doesn't do any encryption or integrity protection on any
field except the user password.  So it's no more secure than psuedo-NIS.

   From: Anthony Baxter <arb@connect.com.au>
   Date: Fri, 28 Feb 1997 17:24:44 +1100

   Currently, the IETF-Radius WG explicity excludes discussion of
   non-terminal server applications for radius. I'm not sure why
   this is, as it's definately useful in this case.

As far as security as compared to Kerberos, the Radius server actually
has to know the user passwords, and someone who steals the Radius
client's secret key will be able to snoop user passwords off the
network.  In contrast, Kerberos doesn't store the users' passwords, but
a one-way transformation of the user password, stored as a DES key.  And
someone who steals the Kerberos secret won't get any user passwords,
because the user passwords never leave the authenticating workstation.

With Kerberos, you have to set up a service key on each workstation;
with Radius, you have to set up the Radius secret key.  With Kerberos,
you have to set up a central Kerberos server; with Radius, you have to
set up a central Radius server.  

The difference is that Kerberos gives so much more, given that you're
going through the same amount of administrative overhead.  You get
encrypted, secure connections, etc.  Now that TCP hijacking attacks are
real, the ability to do Kerberos encrypted telnet sessions is
important.  Especially for large scale ISP's; Cisco has implemented
encrypted telnet using Kerberos on their routers.

Radius is really a kludge for terminal vendors who claimed that Kerberos
was too hard to implement for their terminal servers.  Yet Cisco has
demonstrated that it's definitely possible, since they have both routers
and terminal servers that support Kerberos.  Given that, I've never been
convinced that Radius should have a place for non-terminals erver

						- Ted

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []