first words:"Trust no one." something about this sentence makes me sick: "In an ideal world, we wouldn't have to use authentication of any type to gain access to anything. But as long as free enterprise exists and access to private resources is sold, authentication will exist." RADIUS - remote access dial-in user service Who are you? What services am I allowed to give you? What did you do with my services while you were using them? radius uses AAA model client/server trust relatinship agent sequence pull sequence push sequence RADIUS has most likely been replaced by now good idea:"Third, RADIUS is stateless (you heard about this earlier). That is to say, it does not keep track of configuration settings, transaction information, or any other data for the next session." really cool! "To strengthen security and increase transactional integrity, the RADIUS protocol uses the concept of shared secrets. Shared secrets are values generated at random that are known to both the client and the server (hence the "shared"). The shared secret is used within all operations that require hiding data and concealing values. The only technical limitation is that shared secrets must be greater than 0 in length, but the RFC recommends that the secret be at least 16 octets. A secret of that length is virtually impossible to crack with brute force. The same set of best practices that dictate password usage also govern the proper use of RADIUS shared secrets." RADIUS is just an authenticantion protocol, normal network packets do not pass through it, just user identification.. interwesting"Passwords can also be retrieved from a directory service (such as Microsoft's Active Directory, Novell's eDirectory, or a generic LDAP directory store), from an encrypted file, or by some other means." i wonder what this means: "The RFC does not require or recommend a specific routing policy protocol, such as router information protocol (RIP) or open-shortest-path-first (OSPF), nor does it designate specific routing announcements to be broadcast or ignored. In other words, the doors are wide open" freeRADIUS is what you use to implement RADIUS on a server it seems all similar netowrk software has the buly of its issues in the config files RADIUS seems like it would be easy to crack important: "he mod_radius_auth module follows a predictable pattern in its use. A typical transaction occurs like this: The browser submits a page request for http://www.website.com/index.html. Apache sees that the directory is secured and sends an Authorization Required prompt (with spaces for the username and password) to the end user. The user responds to the authentication request with his credentials. The browser sends the response, and the same page request once again, to Apache. Apache receives the user's response and hands it off to mod_auth_radius. The module sees that a cookie is not present (since this is the user's first request.) It constructs a RADIUS request and transmits it to the RADIUS server. The RADIUS server performs the authentication and sends its response back to mod_auth_radius. mod_auth_radius interprets the RADIUS server's decision. If the authentication was deemed successful, the module sends a cookie with the public and private information hidden using MD5. If the authentication was unsuccessful, the module returns an Access Denied message. The web browser sends the cookie with any other request. As long as mod_auth_radius recognizes the cookie as valid, it will not send another request to the RADIUS server." idea: cookie sale. selling cookies for websites requiring authentication RADIUS HAS SECURITY PROBLEMS! The shared secret is vulnerable because of the weak MD5 hash that hides the response authenticator. A hacker could easily attack the shared secret by sniffing a valid Access-Request packet and its corresponding response. He can easily get the shared secret by pre-computing the MD5 calculation from the code, ID, length, request authenticator, and attributes portion of the packets and then resuming the hash for each guess he makes. AGHHH AMAZING: "An attacker can get around any rate limits of authentication placed by the administrator of the RADIUS server because of the use of the stream cipher to protect the User-Password attribute. Here's how it works: the hacker first tries to authenticate against a RADIUS server using a known good username and a known, but probably incorrect, password. She takes the resulting Access-Request packet and figures out the MD5 result of the request authenticator + shared secret combination, as described earlier. She can then use a brute-force password attack by switching out the passwords in the packet and using the same request authenticator and shared secret. This will only work, however, if the password is less than or equal to 16 characters, since the User-Password cipher becomes self-synchronizing at the 17th character by including previous ciphertext in the encryption." lesson learned: if i ever become a hacker and want to know how to break in to somewhere specific, just buy a FUCKING BOOK ON THE SOFTWARE, WHERE THE AUTHOR LAYS IT OUT! packets have the key to everything Acct-Input-Gigawords