google-area120 / orion-radsec

Apache License 2.0
9 stars 3 forks source link

Enhance Security: Provide Flexible Default Password Configuration #4

Closed simeononsecurity closed 9 months ago

simeononsecurity commented 10 months ago

GitHub Issue Title: Enhance Security: Provide Flexible Default Password Configuration

GitHub Issue Description: Issue: Currently, the Docker container relies on a default password ('radsec') for the RadSec Proxy. For many providers using this container as-is, having a more secure and customizable default password is essential.

Request: Propose the implementation of a flexible method for specifying the default password during the Docker container setup. Consider introducing an entrypoint script that allows installers to set a more secure and unique password of their choosing.

Rationale:

Requirements:

This enhancement will provide a more secure default configuration out of the box and accommodate the diverse needs of users deploying the RadSec Proxy Docker container.

ahenson-google commented 9 months ago

Thanks for your interest in orion-radsec!

This proxy is designed to comply with RFC 6614. Section 2.3 (4) of the RFC specifies: The shared secret to compute the (obsolete) MD5 integrity checks and attribute encryption MUST be "radsec"

The RADIUS shared secret is obsolete and shouldn't be relied upon for any security purpose, see e.g. https://networkradius.com/articles/2022/10/04/radius-insecurity.html for more information.

Assuming this request refers to the shared secret, and given the above, closing this request as infeasible.

simeononsecurity commented 9 months ago

Thanks for giving a great reason rather than turning it down and saying nothing. Much appreciated! I've read the RFC and now I agree with it. Apologies for the bother.