[2966] in bugtraq
Livingston RADIUS - pwfile is plain text!!?
daemon@ATHENA.MIT.EDU (webmaster@MEGAHITS.COM)
Fri Jul 19 02:49:50 1996
Date: Thu, 18 Jul 1996 23:00:10 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: webmaster@MEGAHITS.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In a decision which I vehemently protested (not only because of the security
risks it posed but also because it was the final step towards completely
removing linux from our network), this company recently abandoned its Cygnus
Network Security (CNS) kerberos setup on a linux 1.2.13 box, in favor of
Livingston RADIUS on NT 3.51.
(see http://www.livingston.com/Marketing/Products/radius.shtml)
Now this very well may be the fault of those who installed it, but it seems
to me, after a little investigation, that the file containing all user names
and passwords is stored in C:\RADIUS\ ... as PLAIN TEXT! If this is true,
and the installation was carried out correctly, then Livingston's
incarnation of RADIUS is simply laughable. If not, and the people who
installed it here are to blame, then shame on them for not taking the proper
steps to even ATTEMPT to disguise/secure the location and contents of the
password file.
What I would like to know is if anyone has had any experience with this
product, and can tell me what needs to be done to fix this blatantly obvious
problem.
