a bit off-topic policy question

Dennis Skinner dskinner at bluefrog.com
Mon Jan 8 21:17:09 CET 2007


Matt Ashfield wrote:
> The issue we have is when running the Radius server in debug mode with full
> log-level, we see the cilent's username and password in clear-text as it
> attempts to bind to the LDAP server. Certainly we could change the debug
> mode level to not see this, but the fact that the ability to see that is
> available is troubling. I'm sure many others on this list use FreeRadius and
> I'm wondering what sort of policies you have in place to address this
> security risk. Anyone with high-level access to the box could certainly
> login, make a change to the debug level and capture sensitive login
> information.

This is an issue of your security policy.  FreeRADIUS has access to
LDAP.  Anyone who is not trusted enough to touch LDAP, should not be
touching FreeRADIUS.  This is how most interdependent services work
(Windows, Linux, or otherwise).

Running the server in debugging mode should only be done during setup
(and most likely on your dev box, not the production one).  Once
FreeRADIUS is working as it should, you shouldn't be running it in debug
mode.

An app like FreeRADIUS will always have access to the user/pass because
it needs that info to talk to LDAP.  Even if the debugging output didn't
have the user/pass, then anyone with enough rights to start/stop the app
can likely upload a hacked version of FreeRADIUS that does output the
user/pass.  It is just a matter of a print statement or two.

The short answer is don't give high-level access to this box to people
you don't trust.

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com



More information about the Freeradius-Users mailing list