On Tue 04 Apr 2006 20:12, Ryan Melendez wrote:
Personally, I don't see a lot of value in it. But if the patch is simple & the config is easy, I have no objections to it going in.
If someone would rather send plain text over the wire rather than storing plain text passwords, logging the password gives up the main advantage for many in using PAP over CHAP.
Question: are there *other* attributes which should be suppressed? If so, the configuration should take a list of attributes to censor, rather than just "logpass=yes/no"
I don't know of any others, but suggestions are welcome. I'm going to go the single-line-option route unless someone chimes in.
We have actually had several discussions both on and off list about this and while Alan doesn't think that there is a particularly good reason to surpress passwords, I respectfully disagree with his opinion and can think of several scenarios you may want to. My suggestion however is to have something a little more generic like the following detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d.txt detailperm = 0600 detailstrip = User-Password detailstrip = 3GPP-IMSI detailstrip = Other-Random-Attribute } This easily lets people strip out whatever attributes they want, not only passwords. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc