Hiding Passwords in Debug Output

Mon Sep 25 22:18:25 CEST 2006

Let me start by saying that I appreciate the amount of time and effort
you and others expend toward maintaining FreeRadius, answering
countless/repetitive "my thing don't work, what's wrong" and "how do
I..." questions, and responding to seemingly ridiculous enhancement
requests *g* from people like me.  You have certainly provided me
information that was helpful to me in getting FreeRadius working.  Thank
you for sharing your time and knowledge Alan.

> The whole purpose of debugging mode is to print out what the server
> is doing.  Hiding information is a guaranteed way to create problems.

I agree with you 100% that having the server show what it is doing is
very helpful when troubleshooting problems.  Can you help me understand
how displaying the plaintext password tells me what the server is doing?
Even though the password is hidden by encryption in many other
protocols, it is possible to properly configure and troubleshoot
FreeRadius for these protocols.  Are you saying you don't see any value
in having the option to hide secret information?

I freely admit that I'm fairly new to FreeRadius and this list, but I
bet it's atypical that the actual value of the password (not whether the
attribute is present) is necessary for non-FreeRadius developers to
troubleshoot server problems.  If you disagree, can you help enlighten
me?

>  a) Why is it a security exposure?  You haven't explained.

Security exposure is perhaps the wrong term.  I believe it increases the
risk of user account compromise with little or no benefit to the
administrator.  Displaying the password while troubleshooting our
FreeRadius deployment did not help me solve any problems.  I'm open to
the idea that it might help some people solve problems.  But, if it's
not normally needed and it's secret information, why not give
administrators the option to suppress it (as the detail module does)? 

>     You're really saying that it's a security exposure to show
passwords
>     to the administrator who has permission to stop and start the
server?

What I'm saying is that displaying plaintext passwords and/or
potentially storing them unencrypted on electronic media (e.g.,
redirected output from FreeRadius that is stored on disk and in
backups), increases the risk of user account compromise.  Also, being a
FreeRadius administrator does not imply that you are an administrator of
the backend user database.  I'm not sure I understand the relevance of
having permission to stop and start the server..

>  b) If the default is changed to not show the passwords, are *you*
>    going to answer umpteen questions on this list about "why does the
>     password show up as ***"?

That's an excellent point - I could easily see that outcome.  Would you
feel differently if the mask was different (e.g., "<password hidden by
config. option>")?  What if the default was to show the passwords so the
server acts the same as it does now unless the administrator goes out of
their way to change it?