Re: Follow up on Authorize Only issue

["Alan DeKok" <aland@nitros9.org>]

"Bernard Aboba" <bernard_aboba@hotmail.com> wrote:
> For example, should a NAS be able to retrieve the Tunnel-Password attribute 
> of any user, regardless of whether they are connected?

  i.e. A compromised NAS can leverage this requested feature to obtain
that information more readily.  Right now, if the NAS hasn't had a
user log in through it, it can get those credentials only through a
brute force attack on the password.  The server *should* be able to
catch that attack, mitigating the vulnerability.

  For users who have logged in through a compromised NAS, nearly all
hope for security is lost.

> If this is allowed, it should follow the principle of "least privilege", 
> only providing the attributes relevant to SSH.

  Which means that the Access-Request has to be recognizable as for
SSH in this use-case.  This means an attribute or value specifically
for this purpose.  The RADIUS server can then key off of that special
request, and return a limited response.

  The use case should also enumerate the possible attributes and
values needed in the Access-Accept, and state explicitely that
responding with any other attributes or values may result in security
violations.  i.e. Other attributes and values SHOULD NOT be sent in
the Access-Accept.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>