I was quit surprised to find out that the radius shared secret key is stored plan text in the config.
Can we encrypt it just like we do with user accounts? ea encrypted-password
It’s a secret not a public key.
I was quit surprised to find out that the radius shared secret key is stored plan text in the config.
Can we encrypt it just like we do with user accounts? ea encrypted-password
It’s a secret not a public key.
The user account passwords isnt really encrypted but rather salted hash.
This means that whats stored and compared against is the resulting hash.
This is not really possible with radius which means that you must store the “secret passphrase” encrypted in VyOS rather than salted hash (unless you store it in cleartext as it is today).
And when it gets encrypted in VyOS (since VyOS must be able to decrypt it before sending to the radius server or used as salt on data sent to the radius server) this means that any admin can also reverse this since the key to encrypt this part of the config will be available to the admin.
It will also be somewhat tricky to deal with backup and restore into a new device.
So in short - dont let others read your configs. And if you have to then let the configs pass through some cleaning first such as:
show config commands | strip-private
When it comes to communicating with the radius server the following best practices (among others) should be applied:
Arista does hash/salt radius secrets: EOS 4.31.1F - User Security - Arista
So does JunOS: RADIUS Authentication | Junos OS | Juniper Networks
And IOS etc etc
So I guess the best practice is to store it encypted. Could you make this possible in VyOS?
You should create a feature request on https://vyos.dev/