a bit off-topic policy question
Gaddis, Jeremy L.
jeremy at linuxwiz.net
Mon Jan 8 22:02:15 CET 2007
On 1/8/07, Matt Ashfield <mda at unb.ca> wrote:
> The issue we have is when running the Radius server in debug mode with full
> log-level, we see the cilent's username and password in clear-text as it
> attempts to bind to the LDAP server. Certainly we could change the debug
> mode level to not see this, but the fact that the ability to see that is
> available is troubling. I'm sure many others on this list use FreeRadius and
> I'm wondering what sort of policies you have in place to address this
> security risk. Anyone with high-level access to the box could certainly
> login, make a change to the debug level and capture sensitive login
> information.
Then again, someone with "high-level access" to the machine could
install their own, trojaned copy of radiusd and associated rootkit to
hide it, which really makes this a moot point, yes?
That's one example -- there's numerous other things they could do to
get the passwords.
If you don't trust someone in your organization not to do this, why
are you giving them "high-level" access in the first place?
--
Jeremy L. Gaddis, MCP, GCWN
http://www.linuxwiz.net/
More information about the Freeradius-Users
mailing list