As tight or loose as you make it. Assuming you are on an NTFS volume,
you can set stright rights for the file. The service and whatever else
you need is the only thing that needs access to it.
> Also, if putting Winnt in as the password causes radius to lookup the
> password in the NT database and then write an unencrypted copy into the
> Radius database isn't this defeating the NT security somewhat. If the
> person later changes his winnt password then this change won't reflect in
> the Radius database, and vice-versa, which kind of makes the feature not so
> useful.
The feature is designed to migrate the users OUT OF the NT SAM. Not
keeping using the NT SAM afterwards. Just don't use the feature if
you want to continue using the NT SAM. For example, a strartup ISP
started with RAS. Now they want to move a Portmaster, but don't want to
give out new passwords or call 250 current users. They can use this
feature
to reverse out the passwords and eventually get rid of the users in the
NT SAM.
> Sorry if I'm babbling, but most authentication schemes use some kind of
> encryption of the user list, but Radius seems to just leave everthing open
> as clear text. Has this caused anybody concern or is there someother
> safeguard that makes the Radius userlist safe.
We are looking into MD5 encrypted passwords. RadiusNT itself understand
them fine. Most software doesn't though, and I haven't met someone
who COULD exncrypt passwords using the standard one-way hash. :) The
next
release of Emerlad will have this ability for those who are security
concious.
-- Dale E. Reed Jr. (daler@iea.com)_________________________________________________________________ IEA Software, Inc. | RadiusNT, Emerald, and NT FAQs Internet Solutions for Today | http://www.emerald.iea.com