[ LUGOS ] SiOL CHAP auth
Stojan Rancic
stojan at bofh.cx
Wed Jul 18 20:47:19 CEST 2001
Hojla Igor,
Wednesday, July 18, 2001, 8:40:12 PM, si napisal:
> Kolikor vem, je CHAP varnejši. Ali?
Iz dokumentacije za Radius:
>You have 2 choices:
>
>1. You allow CHAP and store all the passwords plaintext.
> Advantage: passwords don't go cleartext over the phone line between
> the user and the terminal server. Disadvantage: You have to
> store the passwords in cleartext on the server.
>
>2. You don't allow CHAP, just PAP. Advantage: you don't store
> cleartext passwords on your system. Disadvantage: passwords go
> in cleartext over the phone line between the user and the
> terminal server.
>
>Now, people say CHAP is more secure.
> Now you decide which is more likely:
>
>- the phone line between the user and the terminal server gets sniffed
> and a cracker (a GOOD one) intercepts just one password
>- your radius server is hacked into and a cracker gets ALL passwords
> of ALL users.
>
>Right. Still think CHAP is more secure ? I thought so.
>
>This is a limitation of the CHAP protocol itself, not the RADIUS
>protocol. The CHAP protocol *requires* that you store the passwords in
>plain-text format.
GreetZ, Stojan
---------------
But my little voice TOLD me to do it!
More information about the lugos-list
mailing list