[ LUGOS ] SiOL CHAP auth

Stojan Rancic stojan at bofh.cx
Wed Jul 18 20:47:19 CEST 2001


Hojla Igor,

Wednesday, July 18, 2001, 8:40:12 PM, si napisal:


> Kolikor vem, je CHAP varnejši. Ali?

Iz dokumentacije za Radius:

 >You have 2 choices:
  >
  >1. You allow CHAP and store all the passwords plaintext.
  > Advantage: passwords don't go cleartext over the phone line between
  > the user and the terminal server. Disadvantage: You have to
  > store the passwords in cleartext on the server.
  >
  >2. You don't allow CHAP, just PAP. Advantage: you don't store
  > cleartext passwords on your system. Disadvantage: passwords go
  > in cleartext over the phone line between the user and the
  > terminal server.
  >
  >Now, people say CHAP is more secure.
  >  Now you decide which is more likely:
  >
  >- the phone line between the user and the terminal server gets sniffed
  > and a cracker (a GOOD one) intercepts just one password
  >- your radius server is hacked into and a cracker gets ALL passwords
  > of ALL users.
  >
  >Right. Still think CHAP is more secure ? I thought so.
  >
  >This is a limitation of the CHAP protocol itself, not the RADIUS
  >protocol. The CHAP protocol *requires* that you store the passwords in
  >plain-text format.


                                    GreetZ, Stojan
---------------
But my little voice TOLD me to do it!




More information about the lugos-list mailing list