[2968] in bugtraq
Re: Livingston RADIUS - pwfile is plain text!!?
daemon@ATHENA.MIT.EDU (Saint John)
Fri Jul 19 14:31:05 1996
Date: Fri, 19 Jul 1996 07:10:08 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Saint John <jms1@depeche.mode.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <2.2.32.19960719030010.00742240@megahits.com>
On Thu, 18 Jul 1996 webmaster@megahits.com wrote:
> ... this company recently abandoned its Cygnus Network Security (CNS)
> kerberos setup on a linux 1.2.13 box, in favor of Livingston RADIUS on NT
> 3.51.
>
> (see http://www.livingston.com/Marketing/Products/radius.shtml)
>
> Now this very well may be the fault of those who installed it, but it seems
> to me, after a little investigation, that the file containing all user names
> and passwords is stored in C:\RADIUS\ ... as PLAIN TEXT! If this is true,
> and the installation was carried out correctly, then Livingston's
> incarnation of RADIUS is simply laughable.
just to clarify here- livingston never released a windows nt port of radius.
others have ported the code over to windows nt, mainly because they wanted the
log files to go to an odbc-compliant database rather than having to parse
through a strangely-formatted text file to get accounting data on their
users... but it seems they didn't change the password file format at all. you
may want to make sure the C:\RADIUS directory is on an NTFS partition, and set
permissions on that directory so that j.random.luzer doesn't have access to
it.
we run radius at work (i work for an isp) on a BSD box that users don't have
access to. the users file *is* stored as a straight text file, with the
passwords visible in plain text... our setup at work has the /etc/raddb
directory even more tightly controlled than access to the box itself (i.e.
group "radius" on the box, our tech support staff, can *read* the password and
log files, to assist users with stupid password problems- typing their
password in capital letters when it should be lowercase, this sort of
thing...) and only root has write-access to the files.
> If not, and the people who installed it here are to blame, then shame on
> them for not taking the proper steps to even ATTEMPT to disguise/secure the
> location and contents of the password file.
*thwap* bad humans!
> What I would like to know is if anyone has had any experience with this
> product, and can tell me what needs to be done to fix this blatantly obvious
> problem.
i play with hacking radius code all day long... my suggestion is to (1) find
the people who installed nt-radius and slap them around a bit, (2) get a copy
of livingston's radius code from ftp.livingston.com, (3) compile it on a UNIX
machine and run it there.
one option you do have with livingston's code is, if you run the radiusd on
the same unix machine where your users' shell accounts are, you can say (in
the password file) "Password = UNIX", in which case it will take the password
that the user is trying to log in with and compare it with the /etc/passwd
password on that same machine. this makes it easier for two reasons- (1) the
user can change their radius password using the same 'passwd' mechanism they
currently use to change their shell account password, and (2) the password
they choose isn't stored in a plain-text-readable format in radius's users
file.
the code itself is fairly easy to hack (i.e. customize the logging output,
keep utmp-style files for each portmaster so concurrent logins can be caught
and killed, if such is your organization's policy, etc.) if you're so inclined
(and from what i've seen on this list, most of you seem to be so inclined...)
take care all.
-------------------------------------------------------------------------------
"Saint" John Simpson, KSC | It all seems so stupid, it makes me want
<jms1@depeche.mode.net> | to give up. But why should I give up
http://www.depeche.mode.net/~jms1/ | when it all seems so stupid? -mlg/dM
1-500-FIND-JMS | PGP: 5929AF9F 22DDE84B B74BD558 EDD68F73
-------------------------------------------------------------------------------
