Hello, I've seen a couple of email in the list discussing the fact that User-Password is logged by the detail module. I have to change this behavior, but hope to get the change in future releases so I wanted to know where you guys stand. (so I don't have to patch) I plan on adding a config option for the detail module: logpass = yes/no In rlm_detail have the a/v pair associated with PW_PASSWORD skipped if logpass is set to no. Alternatively, output this line to the log: User-Password = <censored> Personally, I think any password attribute should not be logged, but there might be some history/backwards compatibility I'm unaware of. I welcome any comments or suggestions. Thanks, Ryan
"Ryan Melendez" <rmelendez@wayport.net> wrote:
I've seen a couple of email in the list discussing the fact that User-Password is logged by the detail module. I have to change this behavior, but hope to get the change in future releases so I wanted to know where you guys stand. (so I don't have to patch)
Personally, I don't see a lot of value in it. But if the patch is simple & the config is easy, I have no objections to it going in.
Personally, I think any password attribute should not be logged, but there might be some history/backwards compatibility I'm unaware of.
I don't think so. Make the default to log the password, and all backwards compatibility will be maintained. Question: are there *other* attributes which should be suppressed? If so, the configuration should take a list of attributes to censor, rather than just "logpass=yes/no" Alan DeKok.
participants (2)
-
Alan DeKok -
Ryan Melendez