Free Radius 2.1.1 showing clear text password at the debug mode
Olivier Beytrison
olivier at heliosnet.org
Thu Feb 21 10:48:35 CET 2013
On 21.02.2013 10:15, Danny Kurniawan wrote:
> In Radius 1.x - SLES 10 when i run radiusd -X ; i don't see the user
> password (which is good). but in Radius 2.1.1 i can see it clearly ...
> how can i eliminate this cleartext password being showed there? I'm new
> to this authentication method or eap_mschap protocol, so please bear
> with me :)
>
> /[peap] Got tunnled request
> EAP-Message = 0x020a00061a03
> server (null) {
> PEAP: Setting User-Name to sdholakia2
> Sending tunneled request
> EAP-Message = 0x020a00061a03
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "sdholakia2"
> State = 0xf32f92c4f22588e5c2ccbfc052ff2f65
> server inner-tunnel {
> +- entering group authorize {...}
> ++[chap] returns noop
> ++[control] returns noop
> ++[mschap] returns noop
> ++[unix] returns notfound
> ++[control] returns notfound
> [eap] EAP packet type response id 10 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for sdholakia2
> [ldap] expand: (uid=%u) -> (uid=sdholakia2)
> [ldap] expand: ou=Active,ou=Users,o=FSID -> ou=Active,ou=Users,o=FSID
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=Active,ou=Users,o=FSID, with filter
> (uid=sdhoakia2)
> [ldap] Added the eDirectory password Test in check items as
> Cleartext-Passwrd
> [ldap] looking for check items in directory.../
That's how it has been hard-coded in FR2.X and FR3. It is indeed
arguable. For debugging eDirectory integration, it's quite nice. But you
really have to restrict access to the freeradius server, so no one can
start it with -X or run radmin debug.
We could by default not output the password, and if you really need to
see it, just echo control:Cleartext-Password after ldap.authorize
Olivier
--
Olivier Beytrison
Network & Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: olivier at heliosnet.org
More information about the Freeradius-Users
mailing list