[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Pam and radius

On Fri, 28 Feb 1997, Theodore Y. Ts'o wrote:

> Nope; RADIUS doesn't do any encryption or integrity protection on any
> field except the user password.  So it's no more secure than psuedo-NIS.

Yes, it is. Not the best security options, but at least you can't do 
"ypcat shadow.byname" on it.

> As far as security as compared to Kerberos, the Radius server actually
> has to know the user passwords, and someone who steals the Radius
> client's secret key will be able to snoop user passwords off the
> network.  In contrast, Kerberos doesn't store the users' passwords, but
> a one-way transformation of the user password, stored as a DES key.  And
> someone who steals the Kerberos secret won't get any user passwords,
> because the user passwords never leave the authenticating workstation.

I agree completely. Talking about this, TACACS+ is also more secure, but
RADIUS have what others don't: widely used, simple, easy and efficient. In
most cases, the only solution in a mixed NAS environment. Last time I've
checked, MIT told me a big NO when tryied to download kerberos code.
TACACS+ have a nasty copyright too.

> The difference is that Kerberos gives so much more, given that you're
> going through the same amount of administrative overhead.  You get
> encrypted, secure connections, etc.  Now that TCP hijacking attacks are

Wow ! How nice ! :-) I'm in Europe. What does Kerberos give me ? A 'right'
to use pirated code ?

I am not by any means against Kerberos, I agree it is much much superior.
But the fact that CISCO did it in their access servers and the fact that
in Europe I *can't* get the IOS containing kerberos code without
additional paperwork make me think of it more as a 'closed' project,
somewhere in the pseudo-crypto-free world over the ocean.

> and terminal servers that support Kerberos.  Given that, I've never been
> convinced that Radius should have a place for non-terminals erver
> applications.

mail/ftp is okay. I wouldn't rely on RADIUS to provide shell access, but
for an ISP it just does the work. And can be implemented and maintained
without worry about ITAR.

Best wishes,
		Cristian Gafton
Cristian Gafton                                    gafton@sorosis.ro
Computers & Communications Center              Network Administrator
http://www.sorosis.ro/~gafton                          Iasi, Romania
UNIX is user friendly. It's just selective about who its friends are.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []