[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: log clear passwords
From:       Evren Yurtesen <yurtesen () ispro ! net ! tr>
Date:       2003-08-31 4:18:22
[Download RAW message or body]

Yet you can see that they type the password wrong. If you are using chap 
then you should accept that you cant learn more than that.

As a matter of fact using CHAP is not any more secure than using PAP if 
you are using it for dialup. It is extremely difficult to spy on a 
dialup line anyhow (thus wouldnt worth for cracking either) If the 
password exchanged between the client and the NAS is not encrypted, who 
cares? :) The information exchanged between the NAS and the FreeRadius 
is already encrypted so there is also very little risk of compromising 
the security.

The downside of using CHAP is if you lose your user database, then you 
are doomed. You must change every user's password doh. If the user
forgets his password then it should be trivial to give a new one though.

So for dialup environment, using PAP is actually acceptable. Also you 
can use PAP with cleartext passwords too if you want.

Evren

Omar Armas wrote:
>>  Why would you want to log the password from the database?  You can
>>always look it up in the database, if you care what it is.
> 
> 
> 
> In my case, we migrated 2000 dial up users to a new ISP. We were given a
> list of login and passwords, not fully updated with the real info in the
> client side. 
> I want to log the clear text password to be able to say to the client
> "you are typing XXX as password".
> It's incredible, but we have many dial up users who say "Im typing X as
> password", but they are entering "Y".
> Is just to give better support to clients.
> 
> Omar
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



[prev in list] [next in list] [prev in thread] [next in thread]