On 1/8/07, Matt Ashfield <mda@unb.ca> wrote:
The issue we have is when running the Radius server in debug mode with full log-level, we see the cilent's username and password in clear-text as it attempts to bind to the LDAP server. Certainly we could change the debug mode level to not see this, but the fact that the ability to see that is available is troubling. I'm sure many others on this list use FreeRadius and I'm wondering what sort of policies you have in place to address this security risk. Anyone with high-level access to the box could certainly login, make a change to the debug level and capture sensitive login information.
Then again, someone with "high-level access" to the machine could install their own, trojaned copy of radiusd and associated rootkit to hide it, which really makes this a moot point, yes? That's one example -- there's numerous other things they could do to get the passwords. If you don't trust someone in your organization not to do this, why are you giving them "high-level" access in the first place? -- Jeremy L. Gaddis, MCP, GCWN http://www.linuxwiz.net/