[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Pam and radius



On Fri, 28 Feb 1997, Theodore Y. Ts'o wrote:

> Nope; RADIUS doesn't do any encryption or integrity protection on any
> field except the user password.  So it's no more secure than psuedo-NIS.

Yes, it is. Not the best security options, but at least you can't do 
"ypcat shadow.byname" on it.

> As far as security as compared to Kerberos, the Radius server actually
> has to know the user passwords, and someone who steals the Radius
> client's secret key will be able to snoop user passwords off the
> network.  In contrast, Kerberos doesn't store the users' passwords, but
> a one-way transformation of the user password, stored as a DES key.  And
> someone who steals the Kerberos secret won't get any user passwords,
> because the user passwords never leave the authenticating workstation.

I agree completely. Talking about this, TACACS+ is also more secure, but
RADIUS have what others don't: widely used, simple, easy and efficient. In
most cases, the only solution in a mixed NAS environment. Last time I've
checked, MIT told me a big NO when tryied to download kerberos code.
TACACS+ have a nasty copyright too.

> The difference is that Kerberos gives so much more, given that you're
> going through the same amount of administrative overhead.  You get
> encrypted, secure connections, etc.  Now that TCP hijacking attacks are

Wow ! How nice ! :-) I'm in Europe. What does Kerberos give me ? A 'right'
to use pirated code ?

I am not by any means against Kerberos, I agree it is much much superior.
But the fact that CISCO did it in their access servers and the fact that
in Europe I *can't* get the IOS containing kerberos code without
additional paperwork make me think of it more as a 'closed' project,
somewhere in the pseudo-crypto-free world over the ocean.

> and terminal servers that support Kerberos.  Given that, I've never been
> convinced that Radius should have a place for non-terminals erver
> applications.

mail/ftp is okay. I wouldn't rely on RADIUS to provide shell access, but
for an ISP it just does the work. And can be implemented and maintained
without worry about ITAR.

Best wishes,
		Cristian Gafton
--
--------------------------------------------------------------------
Cristian Gafton                                    gafton@sorosis.ro
Computers & Communications Center              Network Administrator
http://www.sorosis.ro/~gafton                          Iasi, Romania
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
UNIX is user friendly. It's just selective about who its friends are.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []