[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: SQL module and credentials configured in the clear
From: Alan DeKok <aland () deployingradius ! com>
Date: 2022-04-29 0:46:22
Message-ID: 179ED2DF-F3BA-463E-98E1-1CF9FA4B1868 () deployingradius ! com
[Download RAW message or body]
On Apr 28, 2022, at 7:57 PM, Brendan Kearney <bpk678@gmail.com> wrote:
> for a myraid of purposes, i have my radius servers connect to MariaDB, and have \
> configured mods-available/sql with the requisite user/pass credential set. i am \
> wondering if the case can be made to add/include the option to use the keytab \
> created and used for LDAP connectivity. having a user/pass combo in clear text on \
> the filesystem is no-no in many organizations.
I disagree, but people can do whatever they want on their own systems.
The underlying issue is that the credentials have to go somewhere. The RADIUS \
server has to read the credentials from somewhere, so you're just moving the problem \
down one level.
Or, you store the credentials in a different format (keytab, certificate, etc.) In \
which case an attacker who can read the local file system can still do everything \
that the RADIUS server can do.
The only thing gained by using a keytab file is some happy thoughts that the \
"password" isn't stored as clear-text. But the credentials are still accessible to \
any attacker, for use as they please.
> it is entirely possible to use the keytab and connect to a properly configured \
> mariadb instance with a keytab. can the functionality to authenticate to databases \
> like mariadb with the keytab be added?
What API should we use? The MySQL documentation shows APIs which take username and \
password:
https://dev.mysql.com/doc/c-api/8.0/en/mysql-real-connect.html
Which API takes a keytab?
I've taken a quick look around the MySQL client documentation, and there's nothing \
obvious.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic