On 21.02.2013 10:15, Danny Kurniawan wrote:
In Radius 1.x - SLES 10 when i run radiusd -X ; i don't see the user password (which is good). but in Radius 2.1.1 i can see it clearly ... how can i eliminate this cleartext password being showed there? I'm new to this authentication method or eap_mschap protocol, so please bear with me :)
/[peap] Got tunnled request EAP-Message = 0x020a00061a03 server (null) { PEAP: Setting User-Name to sdholakia2 Sending tunneled request EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "sdholakia2" State = 0xf32f92c4f22588e5c2ccbfc052ff2f65 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[control] returns noop ++[mschap] returns noop ++[unix] returns notfound ++[control] returns notfound [eap] EAP packet type response id 10 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for sdholakia2 [ldap] expand: (uid=%u) -> (uid=sdholakia2) [ldap] expand: ou=Active,ou=Users,o=FSID -> ou=Active,ou=Users,o=FSID rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Active,ou=Users,o=FSID, with filter (uid=sdhoakia2) [ldap] Added the eDirectory password Test in check items as Cleartext-Passwrd [ldap] looking for check items in directory.../
That's how it has been hard-coded in FR2.X and FR3. It is indeed arguable. For debugging eDirectory integration, it's quite nice. But you really have to restrict access to the freeradius server, so no one can start it with -X or run radmin debug. We could by default not output the password, and if you really need to see it, just echo control:Cleartext-Password after ldap.authorize Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org