[2970] in bugtraq
Re: Livingston RADIUS - pwfile is plain text!!? (fwd)
daemon@ATHENA.MIT.EDU (Micah Anderson)
Fri Jul 19 15:23:34 1996
Date: Fri, 19 Jul 1996 01:39:48 -0700
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Micah Anderson <micah@smmedia.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
No, RADIUS does store the username and password field (depending on the
service) in plain text. For example it is necessary for CHAP
authentication in certain instances. However there are ways to encrypt
the passwords (using 4th party hacks) in the file and it is not absolutly
necessary to have a plaintext password if it is done right but it is, as
open as it seems, usually done that way.
Micah
On Thu, 18 Jul 1996 webmaster@megahits.com wrote:
> In a decision which I vehemently protested (not only because of the security
> risks it posed but also because it was the final step towards completely
> removing linux from our network), this company recently abandoned its Cygnus
> Network Security (CNS) kerberos setup on a linux 1.2.13 box, in favor of
> Livingston RADIUS on NT 3.51.
>
> (see http://www.livingston.com/Marketing/Products/radius.shtml)
>
> Now this very well may be the fault of those who installed it, but it seems
> to me, after a little investigation, that the file containing all user names
> and passwords is stored in C:\RADIUS\ ... as PLAIN TEXT! If this is true,
> and the installation was carried out correctly, then Livingston's
> incarnation of RADIUS is simply laughable. If not, and the people who
> installed it here are to blame, then shame on them for not taking the proper
> steps to even ATTEMPT to disguise/secure the location and contents of the
> password file.
>
> What I would like to know is if anyone has had any experience with this
> product, and can tell me what needs to be done to fix this blatantly obvious
> problem.
>
