Mark Selby wrote:
I do not have any C programming experience but have made small modifications and compiled tens of open source software programs.
That will make it more difficult.
As a general practice we never ask what other users passwords are, never transmit passwords over the wire in clear text, and never log passwords on disk.
That's nice. But it's often more useful to have them.
I have found there are 2 ways to get the freeradius server to log clear text passwords and would like to ask for source code modification examples or at least pointers the right place to make them such that I can compile a custom version of the software that does not do this. We do want to be able ever to see our users passwords
This is a hopeless goal. If you have the shared secrets, you have the users passwords. Modifying the source code makes that less obviously true, but it's still true.
(1) log_auth_badpass|log_auth_goodpass
I see there are 4 source files (radiusd.h auth.c mainconfig.c radiusd.c) that include references to log_auth_badpass and log_auth_goodpass. I figure that I can read the code and make any minor modifications that make sure these options can not be turned on.
Or just never enable them. Why modify the source?
(2) radiusd -X
When running in debug mode I can often see on the screen output like the below:
Yes. It prints out the attributes it receives.
I can not seem to figure out in the code how to make sure that the User-Password is never printed in the clear like it is above. Any pointers to where in the code I can turn this off would be greatly appreciated.
See src/lib/radius.c. It prints out ALL of the attributes it receives. There is NOTHING magic about User-Password. Alan DeKok.