RE: BillMax questions -- Plaintext Password

[Jeff LaCoursiere <jeff@jeff.net>]

> >CHAP does require plaintext passwords on the server, but PAP does not,
> >which is why we stuck with PAP.  I wouldn't call being forced to keep
> >plaintext passwords on my server a "bonus"!
> >
> 
> But wait, Jeff - if your using PAP then the cackers can come to your
> house and climb the telephone pole and put a modem on your phone line and
> pick off the plaintext password that your sending to the term server when
> you dial in.  Right?  At least, that's what all the CHAP proponents
> say will happen. ;-)

Well, that is a bit extreme, but true :)  I think UUNet and other long
haul NAS providers want CHAP because they don't want to be liable for
passwords being sniffed on network connections they have no control
over.  Fair enough.  I honestly thought the radius protocol would just be
encrypted by this point.  What point is the client/server shared secret
otherwise (other than authenticating the connect)?  Shouldn't be a big
deal for the client/server to use that secret for a cipher.  If they break
your shared secret you could have worse problems!

> or a SQL server like with icradius.

I'm actually against this - I think it adds more overhead than just a
berkeley db file.  I haven't seen any benchmarks, but I would be willing
to bet quite a bit that db file will be the fastest.

>
> [ much stuff about employee trust ]
>

I'm all for trusting my employees, and of course any really pissed off
employee can find a way to cause damage if he/she wants to... The point
really was if there is no good reason to store cleartext passwords, you
shouldn't do it.

Thanks,

j


-----------------------------------------------------------------------------
To unsubscribe from the "BillMax Questions" mailing list, please
send a message to "majordomo@billmax.com" with "unsubscribe questions"
in the message body. The message must be sent from the exact email
address on the list.