suggestion for -X and sensitive data
Alan DeKok
aland at deployingradius.com
Tue Dec 1 19:35:10 CET 2020
On Dec 1, 2020, at 10:13 AM, Matt Zagrabelny via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Reading through the documentation at:
>
> http://wiki.freeradius.org/list-help
>
> It states to include the full output of radiusd -X. I do believe that the
> full output includes sensitive information, like passwords, that should not
> be posted to the mailing list.
Some of the sensitive information is removed, like shared secrets.
Other than that, it's difficult to know what's sensitive and what isn't. User-Password is simple perhaps. But there are many protocols used in FreeRADIUS, each of which has their own issues. Should the MS-CHAP data be omitted? If so, what about EAP-MSCHAP?
> What do folks think about replacing sensitive information in the output
> with "removed" or "sensitive data removed", etc?
>
> Personally, I think -X could use this new mode by default, and also add an
> option to not remove sensitive info.
I'm fine with removing sensitive data. The questions are:
a) what is sensitive
b) how do you remove it.
These issues aren't trivial. I suggest attempting to make a patch which is both understandable, and works. The process will be educational.
Alan DeKok.
More information about the Freeradius-Users
mailing list