On Thu, 5 Sep 1996 thoth@purplefrog.com wrote:
>
> I was just thinking. If some people are nervous about storing CHAP
> passwords in cleartext, why not encrypt them with the portmaster secret?
>
> 1) if someone can read your RADIUS user database, they can probably access
> the shared secrets file
>
> 2) The secret on one PM may be different from the secret on another.
>
> The added security would be marginal.
It would most help so that staff didn't accidentally see the password when
they had to work in the users file. I was actually thinking it would be
good but with a different secret. Something like
md5hash(secret+username+salt)^passowrd and store salt:password in the
database. The salt should be changed at random whenever the password
changes.
Steven P. Crain scrain@shore.net
Unix Administration and Programming
North Shore Access
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Finger me for a public key.
iQB1AwUBMjR9iI0DAXSiDippAQFEiAL/W8Yc5unKJ/4f2g/ft3LgdEJwBfM8vQEN
Pmv5Bp8wv4LMh6vuZsgOApfWypGVizuNh/njOwH8b09RMtY9Ini+f0gOd945y47v
892r+2mkyZh4ogI9WHHvWOWIjaN9maqN
=H+D1
-----END PGP SIGNATURE-----