2

I'm experimenting with Freeradius and have configured an ssh gateway to use pam_radius_auth to my ldap servers. In /etc/pam_radius_auth.conf I have:

10.1.1.21    ny3fa4bu7my6ku7       3
10.1.1.22    ny3fa4bu7my6ku7       3

The authentication works but tcpdump is showing clear-text on the wire:

14:12:50.846356 IP 10.14.13.19.2584 > 10.1.1.21.1812: RADIUS, Access Request (1), id: 0x03 length: 116
E...o.@.?.-...........|.....t.S...... ....
....myuser..5.H.....q2g.......
... .sshd......=............(host-176.brassy.bork.net

I've read that Freeradius will do PEAP and EAP-TLS but I don't see any way to configure pam_radius_auth to use that option. Anyone have this working over some flavor of TLS?

Server Fault
  • 547
  • 1
  • 4
  • 17
  • Radius is mostly a plain protocol except the password which is basically a XOR of the password with the MD5 of the shared secret and the client info which theoretically it can be broken (with bonus points because the shared secret is the same for all users in your case). TLS will only work if the client supports it. Depending on your access the the radius server you could use encrypted port forwarding (if radius listens only udp than you need udp -> tcp -> stunnel and the reverse), a local proxy to convert udp to tls if you radius server is already set up for it or radsec if you can. – nkms Sep 09 '15 at 09:10

0 Answers0